That's similar to the Spanish government being behind the attacks... Effectively, a member of the Spanish government used (misused) their official capacity to take action against Catalan officials.
Perhaps that's not the official stance of the government, but an organization is only a monolith with a single public position to the extent that they're able to enforce proper actions. The official Spanish government being publicly neutral but actually unable to ensure that their own members act in accord with this position and instead instigating extensive attacks is not that different from the official Spanish government being behind the attacks. Will the insider be punished sufficiently to deter others from following in their footsteps?
"Insiders" are a very broad set of people, including low-level bureaucrats and motivations can include profit.
To pick one of the more likely scenarios: if a government worker sold a database on the open (criminal) market, there's no meaningful sense in which "the Spanish government is behind this".
Perhaps that's not the official stance of the government, but an organization is only a monolith with a single public position to the extent that they're able to enforce proper actions. The official Spanish government being publicly neutral but actually unable to ensure that their own members act in accord with this position and instead instigating extensive attacks is not that different from the official Spanish government being behind the attacks. Will the insider be punished sufficiently to deter others from following in their footsteps?