The US has argued that they have jurisdiction over any cyber crime which affects a US company or institution, regardless of where the person was - e.g. Gary McKinnon [1] was indicted by a grand jury in Virginia for hacks on computers owned by NASA and the Pentagon despite never having visited the US.
What really matters in cases like these is whether the country in question will arrest and extradite the individual to the US - this is far less clear cut - see the Snowden case for an example of someone attempting to evade US extradition law.
Some countries (notably China) have been fairly opaque from a US judicial perspective - see hacks on Google, the New York Times blamed on the Chinese - which have ended up with no visible action.
What really matters in cases like these is whether the country in question will arrest and extradite the individual to the US - this is far less clear cut - see the Snowden case for an example of someone attempting to evade US extradition law.
Some countries (notably China) have been fairly opaque from a US judicial perspective - see hacks on Google, the New York Times blamed on the Chinese - which have ended up with no visible action.
1: http://en.wikipedia.org/wiki/Gary_McKinnon