I don’t work in this field, but my impression has been that groups tend to share techniques and code patterns that can help tie them back to where they came from.
By connecting multiple details such as ip addresses, connection/flow logs, known CnC servers, etc. You seem to be expecting some magic simple answer but the reality is the same as other investigative work: doing the work in the details as a professional. Just because this work is difficult and inherently has some ambiguity doesn't mean you can just dismiss every attribution from your armchair.