It's extremely difficult to bring a hacker to justice, especially if they're in a foreign country. First you need to identify who the hacker is, and that is a whole different, complicated task.
It helps to know who's attacking you when creating cyberdefences. It gives you a clue as to their motives and what they're trying to get from you, and when an attack happens, identifying the perpetrator is one of the top priorities.
Just like in a regular crime scene, a hacker will leave clues behind in a cyberattack. Computer forensics teams look at how the hackers were able to get through, examine what programs they used, go through the code, study the techniques used to get into the system. There's a lot of information that can be gained by looking at what evidence was left behind. All of this usually leads to the gateway, the entry point, the command center from which the attack originated and where stolen information is sent.
Once you trace an attack to a particular server, you might be able to find specific information about the hacker or the group behind the attack. Even here though, sometimes it's not so easy because false trails and red herrings may be left behind for investigators to find to throw them off track. Some hackers will even disguise their malware as a different, more well-known malware to try to keep investigators from looking at it more closely.
As cybercriminals become more adept at hiding their identities, cyberdefense agencies are becoming better at finding clues about them. But then the bad guys change their techniques, so the good guys adapt. And so it goes around and around in circles.