[openasocket]

The issue is that when you have analysts combing over your attack there are so many different ways information can be leaked that it's impossible to try and elude everything. To properly conceal your identity to prevent fingerprinting you'd have to rewrite all your malware from scratch every time using completely different techniques, and choose targets largely at random so your motives don't become obvious. So APT groups have to prioritize on what information you absolutely don't want to get out and go from there, and look at the trade offs involved. To conceal working hours you'd have to either make everyone work random hours (which wouldn't be very popular) or perform certain activities like domain registration on a random time delay (which you may not always want, some things really need humans on keyboards to monitor). So it's a lot of effort to conceal an attribute that, while telling, isn't actually enough to implicate you.