Breaking into foreign computing assets is literally NSA's chartered job. Other countries could sue NSA for their CNE operations! At a certain point there is a sort of tacit understanding that the intelligence community operates in a sort of Hobbesian state of nature, and not under the laws of any one state.
A country wanting to penalize one of NSA's suppliers could single out a commercial CNE supplier and sue them the way US entities are suing NSO. That would jam the target company up, and prevent them from getting investment or doing M&A with companies under that country's jurisdiction. But for obvious reasons, US jurisdiction is a lot more commercially impactful than, say, Indonesian or Russian. Suing NSO is thus probably more impactful than suing a random NSA xdev supplier.
The understanding about SIGINT between intelligence agencies is especially strong within NATO (it probably doesn't need saying that the US and major Commonwealth countries have an even closer relationship still). For a long time, it was "common knowledge" that the biggest SIGINT challenge the US had was France, not any actual global military adversary. It's a little unlikely any major western market country is going to go to the mattresses over state-sponsored CNE from one of their own countries. I assume they have better ways of working this stuff out than lawsuits, which is why we never hear about them.
(I am out over my skis on at least the last paragraph of this analysis so take it for what it's worth.)
