Incidents such as DDoS attacks carried out against Estonia in 2007, Georgia in 2008, Kyrgyzstan in 2009 raised the question of whether and to what extent a State can be held responsible for a cyber activity in a domain where actors are often afforded anonymity. Hundreds of significant cyber-attacks on government agencies, companies, research institutions, etc. occurred to date. Some of these attacks were claimed to be operated by or linked to a State. In the aftermath of the COVID 19 pandemic, some States have allegedly sponsored cyber-attacks on research centers and medicine agencies such as European Medicine Agency to steal information related to the COVID-19 vaccine. On the assumption that a given cyber-attack is attributable to a State, this paper explores whether and to what extent the wrongfulness could be precluded by distress, necessity, or countermeasure.