The nation state as a threat model adversary is kind of a weird abstraction. Does it include intrusive questions eg about social media asked by a border agent on your next trip abroad? Does it include getting your web browsing traffic collected up by the nine eyes spooks? Or does it mean a rich country is marshaling all its resources in a manhattan project grade effort to target you personally?

In any case as in all things defense, you assume your adversary is to some extent rational and making attacks harder (more expensive, risky, opportunity cost, etc) improves the equation for you.

It _could_ mean any of those things, but in practice most APTs (this one included) seem to fit the profile of “Regular hackers doing this as a full time job”. Most seem to be five to ten people, probably just a small office somewhere. They can be extremely creative but they don’t seem to have extraordinary access to the machinery of state.

And then you’ve got Stuxnet, which both clearly involved many more people than that, but also actual physical espionage.