I wouldn't be surprised if portions of it were bought within the US, or if it was largely made from off-the-shelf components legally imported and then assembled. Unless there were capabilities demonstrated that haven't been made public (Like some new low-power high-intensity jamming) this doesn't seem too far off from the capabilities of a non-state actor. The main reason I think this is a state actor is because of the motivation (terrorists would have actually tried to use it as a weapon to do damage).
It doesn't need to be some super-advanced weapon or capability. Sometimes all it takes is a demonstration to make people aware of vulnerabilities that have long existed. Think about the billions spent on airport security after 9/11, that frankly aren't doing much to prevent future attacks. This incident, and others like it, don't have a body count and haven't provoked a massive public outcry, but they are unnerving people. You can bet funding is going to be diverted to securing airbases from this sort of threat.
The first most obvious state actor would actually be the USA itself. Some sort of red team test to demonstrate our own vulnerabilities and to secure that funding.
It probably wouldn't be necessary for someone like China to actually stage a demonstration, since its easier for China to just have some high up diplomat get themselves drunk and boast to or around a known CIA operative that they have hundreds of drones ready to strike facilities in the USA that can be activated on a moments notice. Then leave just enough of a paper trail lying around in other places to validate it (although probably a dozen or less, not a hundred), without compromising anything. Maybe even go so far to have a private military briefing (that a CIA operative was invited to) which displayed a particular model of drone built using off-the-shelf parts that could be acquired in the US ("we built this on our soil, we could be building another one very much like it on your soil").
So a lot of people are posting something about a red team test or some defense contractor. But is that really something a defense contractor would do? This thing violated federal and most likely state regulations in a bunch of different ways, there are serious consequences to this. I mean this isn't the days of MKUltra, are there any contemporary or recent examples of defense contractors blatantly violating regulations like this without consequence?
It doesn't need to be some super-advanced weapon or capability. Sometimes all it takes is a demonstration to make people aware of vulnerabilities that have long existed. Think about the billions spent on airport security after 9/11, that frankly aren't doing much to prevent future attacks. This incident, and others like it, don't have a body count and haven't provoked a massive public outcry, but they are unnerving people. You can bet funding is going to be diverted to securing airbases from this sort of threat.