“Security researchers are always looking to understand the approach attackers are taking or have taken if part of an incident response effort. This includes what a C&C server is doing, where it’s located, approach it might take to hide itself, compromised data, impacted victims etc. So poking and prodding the actual code of the attackers is perfectly normal. In fact under-scoping an attack is one of the biggest mistakes IR teams could make so we strongly advise teams to complete their analysis before they start to respond, otherwise they would likely miss a key element and not actually stop the attacker.
That said there is a fundamental difference between understanding an attack approach and say carrying out an attack on the hackers. The former is what research teams do every day, the latter is what makes for a good movie (well maybe weak depending on your definition of good movie). So the notion of “hacking back”, at least in our experience is best left for the sound stage.”