I'm no "cyber security expert", but from what I can understand it can be something as simple as, what was mentioned above, tracking ip addresses to analyzing the processes leading up to and used in the attack. Whether that is how they approach the target, the tools used and/or any evidence left behind.
When a large enough amount of attacks are performed by one group you gain some insight in how they work & approach problems. Very similar to how law enforcement would be able to "fingerprint" a serial killer based on his patterns or how a professor would be able to tell you plagiarized the code for a project based on the pattern of your early assignments.
People are not immune to patterns and habits. Groups, much like people, are effectively extensions of these patterns and habits but on a grander scale. In a normal workplace this is called company "culture".
When a large enough amount of attacks are performed by one group you gain some insight in how they work & approach problems. Very similar to how law enforcement would be able to "fingerprint" a serial killer based on his patterns or how a professor would be able to tell you plagiarized the code for a project based on the pattern of your early assignments.
People are not immune to patterns and habits. Groups, much like people, are effectively extensions of these patterns and habits but on a grander scale. In a normal workplace this is called company "culture".