To put it in painfully simple terms, just because the "hacker's code" contains Cyrillic, it doesn't mean Putin was behind it.

As a layman, "fourth-party collection" sounds a lot like "false flag" to me... is there any key difference I'm missing?

They discuss that both in the passive and active sense. I'd say that only the active sense appears to be similar to a false flag operation. From the article:

Fourth-party collection – As described previously, fourth-party collection involves interception of a foreign intelligence service’s ‘computer network exploitation’ (CNE) activity in a variety of possible configurations. Given the nature of Agency-A as a cyber-capable SIGINT entity, two modes of fourth-party collection are available to it: passive and active. The former will take advantage of its existing visibility into data in transit either between hop points in the adversary’s infrastructure or perhaps in transit from the victim to the command-and-control servers themselves (whichever opportunity permits). On the other hand, active means involve the leveraging of diverse CNE capabilities to collect, replace, or disrupt the adversary’s campaign. Both present challenges which we will explore in extensive detail further below.