By connecting multiple details such as ip addresses, connection/flow logs, known CnC servers, etc. You seem to be expecting some magic simple answer but the reality is the same as other investigative work: doing the work in the details as a professional. Just because this work is difficult and inherently has some ambiguity doesn't mean you can just dismiss every attribution from your armchair.