Masquerading as a particular cyber-attack group requires not only knowing what techniques and tools they tend to use, but also how to do those things yourself, while imitating their style. It’s not impossible, but neither is it trivial: We’re not talking about simply first impressions here, but fooling a concerted, post-hoc investigation.
When a large enough amount of attacks are performed by one group you gain some insight in how they work & approach problems. Very similar to how law enforcement would be able to "fingerprint" a serial killer based on his patterns or how a professor would be able to tell you plagiarized the code for a project based on the pattern of your early assignments.
People are not immune to patterns and habits. Groups, much like people, are effectively extensions of these patterns and habits but on a grander scale. In a normal workplace this is called company "culture".