Loose attribution can be placed on malware or threat actor activity due to the language contained within their commands, passwords, scripts, malware samples, etc.
For example, if a piece of malware has function names, variables, and strings in the Romanian langauge, it is a good indicator that the authors are Romanian. Conversely, if the strings within the sample were in French, chances are the attackers are Francophones.