Yes it's difficult to find out who is behind attacks.
It's not difficult though, to hire experienced InfoSec professionals and support them adequately to provide a sufficient defense in depth architecture, patch management and monitoring to ensure it's difficult to get in, and just as difficult to get data out.
Since it is so difficult to identify hackers, you may want to keep this in mind when it comes to your risk management. Can I get a palm thump to the head?