There are multiple factors that can be evaluated to try to attribute an attack. There are many characteristics than can be assessed in order to determine if an incident is likely caused by a certain party. Mature security shops use profiles like this to make their own intelligence assessments, often confidentially collaborating with others sharing the same problems. The following questions are answered by Mike Cloppert, the author of a post on attribution: attribution is not just malware analysis, but it’s not just just a malware analysis.”]
Source: https://taosecurity.blogspot.com/2010/01/attribution-using-20-characteristics.html