So what am I proposing? I propose we strive in all cases for clarity and exactness in talking about attacks -- nation backed or otherwise. Whenever possible, we should avoid euphemistic terms like APT and "state sponsored actors" and speak, instead, of what we know for sure, and what we don't. Let's forget about the Spy vs. Spy "I could tell you but then I'd have to kill you" stuff.
If you're Google, don't say: "Your account may have been the target of a nation-backed attack."
Instead, how about:
"Hey, Gmailer! We noticed that you were sent an e-mail message that contained a link to a malicious Web site hosted in [COUNTRY]. We can tell you that the same server has been used in other attacks against Gmail accounts starting on [DATE]. The people targeted all appear to have ties to [AFFILIATION].
We can't tell you much about who or what is behind the phishing e-mail, but we can tell you that those attacked were infected with [MALWARE]. You should alert your employer about receiving this message. We also recommend you change your password to Gmail and other connected accounts, scan your computers for viruses and seriously consider adopting two-factor authentication to protect your accounts! Sorry!"
Verbose, I know. But sometimes less isn't more -- it's less.
Sign up for CIO Asia eNewsletters.