Common pitfalls in attributing cyberattacks