"it communicated with a server in China, therefore it's clearly the Chinese"
You would expect such sites to be spread like butter around the world for exactly the reason you say. Criminals and the computers they control should be scattered randomly.
A concentration in one area or another is interesting data. Do we have more criminals? Do we have stupider sysadmins? My politics would insist that neither could be true. But alternative explanations don't seem to accompany reports of incursions.