It depends on what the malware is designed to do. Cui bono, as they say.
If the malware is designed to grab bank passwords or steal money, then you can assume there's a criminal enterprise behind it.
But if the malware is specifically targeting certain "problem" countries; and stealing documents and other things of non-monetary value, then it's very likely that there's a government behind it. Which criminal mastermind will say, "tomorrow, I'll steal Word documents of all Syrians" ? What will he do with them anyways? Given the abundance of low-hanging fruit, why would a criminal jump through all these hoops?
So state-sponsored malware writers should seed their payloads with misleading targeting information, but have an option to download other targeting code dynamically. (And erase such the moment it's not needed.)
If you're gonna go to that amount of trouble then why not steal everything, including CC numbers and why not target everyone, not just specific states?
If the malware is designed to grab bank passwords or steal money, then you can assume there's a criminal enterprise behind it.
But if the malware is specifically targeting certain "problem" countries; and stealing documents and other things of non-monetary value, then it's very likely that there's a government behind it. Which criminal mastermind will say, "tomorrow, I'll steal Word documents of all Syrians" ? What will he do with them anyways? Given the abundance of low-hanging fruit, why would a criminal jump through all these hoops?