[jcrawfordor]

They match up the activity they observe with tactics/techniques/procedures (TTPs, an awkward term but it's of old military origin) associated with various known state actor groups. These are widely published by various security firms, although the details are often kept in the industry and behind a paywall. You can find a lot of info just by googling the codenames firms assign to the groups, APT28 is one such group on my mind which has recently had some public reporting: https://www.fireeye.com/content/dam/fireeye-www/global/en/cu...

These TTPs may consist of known attack infrastructure, email payloads, even things as simple as an email subject line if the attacker leaves it fairly static. They may also be as complicated as artifacts of dynamic analysis of malware, software engineering techniques and tools, language use, etc.

Attribution to state actors comes via similar techniques, generally tying attacks back to infrastructure known to be owned by state agencies or companies operated by the same. The line between state actors and higher-end criminal groups can be very blurry, both in that attribution may be difficult and in that the groups actually overlap in many areas. But still, you can often make a pretty confident guess.

These attribution techniques are well-established in the security industry, and I'm not surprised to see these big providers starting to automate it where possible.