The recent Juniper vulnerabilities are especially concerning though when it comes to the NOBUS argument. In fact, they completely destroy the argument. The US has already confirmed they are not behind the attack, and I believe them. But if not the US, then you have to ask who would be behind such an attack?
We can gain some insight by first considering that the hack was very likely performed by government sponsored intelligence. Criminals are generally playing a short game when it comes to cyber crime. Meaning they compromise a network, exfiltrate data, and make use of that data. Planting backdoors in Juniper source code they hoped would eventually make their way into the product base may take years to come to fruition. This completely discounts the effort that might be required to penetrate Juniper's code base and remain hidden. And did they ever remain hidden. Based on a review of the affected platforms, the attackers have had the backdoor in place since 2012. More three years of internal code reviews failed to discover the backdoor code.
But the vulnerabilities themselves are also telling. In particular, CVE-2015-7756 could only really be exploited by an adversary with the ability to intercept VPN traffic. If you don't have the VPN traffic, then the keys to decrypt it are meaningless. The fact that this change would be made to the Juniper code base implies that whoever did it has the ability to intercept VPN traffic en-masse and the ability to process the decrypted traffic.
In the infosec community, we often talk about how any country with good talent can start a network exploitation program. But the resources required to capitalize on the Juniper hack really limits the number of possible suspects. I won't speculate on who I think is responsible for the compromise, but since it wasn't the US, I think we can officially put the NOBUS argument to bed... forever.