There are many different kinds of indicators left behind in attacks, even very sophisticated attacks. Way more than just IP addresses. The entire recon, infection, exfiltration, pivoting, and C&C chain can leave hundreds or thousands of host-based, network-based, and identity-based indicators behind.
Of course, those indicators can be intentionally or unintentionally misleading or ambiguous. But by finding a dozen or more consistent IOCs/TTPs without any inconsistent ones, combined with a motive, often you can start making some possible accusations. Those assumptions will often remain unproven, but keep in mind government APT groups are still run by humans, and humans can always be sloppy.
Also, in some cases one state may have so thoroughly compromised another that they could find explicit evidence that an attack was ordered.
Of course, those indicators can be intentionally or unintentionally misleading or ambiguous. But by finding a dozen or more consistent IOCs/TTPs without any inconsistent ones, combined with a motive, often you can start making some possible accusations. Those assumptions will often remain unproven, but keep in mind government APT groups are still run by humans, and humans can always be sloppy.
Also, in some cases one state may have so thoroughly compromised another that they could find explicit evidence that an attack was ordered.