My own theory is that they are being tested by cybercriminals who are too smart to try and probe their own country's web infrastructure for fear of being arrested by local police. Naturally, this is easier to do in countries such as Russia that have less oversight for this sort of thing - it's a bit like the Isle of Man* setting low tax rates and people being puzzled why rich people move there.
Some of the testing may be state-sponsored, but I doubt it. I would expect that state-sponsored attacks generally tend to be tested behind closed doors, rather than in the wild, for the simple reason that you don't want to give your enemy clues as to what you're planning until you're ready so to do.
* I was going to say Monaco but I always wanted to live in Monaco as a kid because of the grand prix, of course.
Biting the hand that feeds IT
