Intelligence operations have goals. If you want to understand them you should understand the goals of the intelligence operations otherwise you won't know what will happen next and you have no idea how to secure what data they were after.
Also it are operations, this means that they have been prepared some time in advance and they have been executed in different phases and they were followed up and evaluated or changed to make sure that they had the maximum effect with the least possibility of discovery. Extraction and destruction of evidence is as important in such an operation as getting the information.
The Belgacomhack was probably an US intelligence operation to get information from some mobilephone installations from the Bics network because at that time - just a supposition - the US administration was going after Bin Laden and they had only ONE lead and that were the couriers between Bin Laden and the rest of the organisation. Those people used their mobile phones from time and time but under strict rules of operational security (for example only a few hundred meters after they had left the building and when they were not phoning they also retired the battery). Those couriers sometimes took also other calls from other countries. Not sure there is a link, but I can imagine (it just imagination maybe) that somebody said whatever the effort you have to get that data and if it is too risky for discovery to go through the courts or the local operators just go through the operators but just get that data. I won't ask how you got it. And some people went out to try to get it. But as I said that is just speculation (they may also needed some information about other networks or cells or important people on the wanted list)
The Foreignaffairshack was probably a Russian intelligence operation looking for information about how the European commission and the NATO were reacting to the continuing infiltration of Russian soldiers and tanks into Oekraine. In this highlevel powergame Putin wanted just as Stalin during and after the second world war to have some spies or intelligence operation so he could know what the mindset at the moment was of his friends and opponents and how their reaction would be and what they were saying behind closed doors but not at him when they were sitting at the negotiating table. He had to know the real red lines before. And where can you find the information about the European Commission and the NATO in one place ? In the country where both have their headquarters. And which Administration is responsable for treating all these documents between the host country and the international organisations it is member off ? The Administration of Foreign Affairs. There are also people who think they were after another database.
The Sonyhack was probably a North Korean intelligence operation as a response to a film they didn't like about the great dictator who prefers to see himself as a father for his country. Well he got mad as hell and between the different options (throwing an atomb bomb on Hollywood, protesting diplomatically,....) destroying the company with a digital nuclear timebomb seemed like the best option. THis is exactly what is happening. THis operation started probaly in june or somewhat before and ended with the publication of the first dataset and the timed destruction of the internal computers and servers. Now every company in the world knows that if it angers the North Korean dictator he will destroy them digitally, so you better be prepared. If this was the goal, the message is received and understood.
So if these presumptions are right, than every intelligence service in the world worthy of its name is setting up intelligence operations in the digital world with political and intelligence goals while respecting all the normal operative security rules of an intelligence operation (which makes it hard to attribute them).
This is also the reason I think that for critical environments the security officer should not only have his medals of all his socalled exams and certificates but also a healthy dose of paranoia and be able to play mindgames or to think through how an intelligence operation against his network would be set up and what would be the weakest links or the moments that they still could be discovered or didn't clean up their tracks.
It is only when you start reading books about informationoperations and intelligence that you start to really understand the Snowden files. For malware and IT analysts these are just processes, files, connections and incidents. For an intelligence operative these are phases in an intelligence operation that will lead to a specific goal and have been prepared long time before. (by the way some of the scanning traffic of our infrastructure is also done by other intelligence agencies to put in their database so when they want to set up an operation they already have all the practically important information)