From the sophistication of the malware code
State-sponsored groups are backed by governments which are usually willing to invest a lot more money than an individual or even a group of criminals will invest into developing their cyber arsenal. This means that they will often have more skilled/experienced and a larger number of developers. This larger group will be able to develop malware with more and better features (ex. better ability to evade endpoint detection and response software, ability to exfiltrate data more stealthily, better anti-analysis features) than malware developed by the typical lone black hat. Thus if a particular malware has advanced capabilities and sophisticated code, it is safe to say the malware was the work of an advanced group, usually a state-sponsored APT.
Targets
The people targeted by the malware often says a lot about the threat actor behind it. If malware infects machines everywhere indiscriminately, its often the work of a criminal group looking to infect as many people as possible, to maximize their profit. However, if the malware is found selectively on the devices of high level diplomats or journalists, then this is likely a campaign by a state-sponsored actor looking to gain inside information on another nation's diplomatic activities.
Reuse of code and infrastructure
Malware development takes time and effort. So once a group has developed a particular set of capabilities, they are prone to reuse or repurpose the same code. If a malware analyst can identify significant similarities between code in a newly discovered malware sample and a previously discovered or leaked malware from state-sponsored groups, it's easy to make the connection.
Infrastructure (i.e command and control servers used to distribute, control and update malware) is often reused too. Often this is because (anonymously) obtaining and setting up new servers is too much of a hassle to repeat in every new campaign. New malware that uses the same infrastructure as previously attributed malware is a big give away too.
Metadata in files
If the above techniques do not provide sufficient clues to determine the exact group behind a piece of malware, analysts will look at metadata in the malware's executables/payloads. For example, when an executable is compiled, the compiler usually attaches a timestamp to it to indicate the time of compilation. If sufficient samples containing timestamps are found, they can be used to infer the time zone from which the group operates. Compiled executables can also contain file paths from the attacker's machine, which can provide further clues.
The catch here is that metadata can be forged in order to mislead analysts about the origin of the malware, and hence less confidence should be placed in them when attributing malware.
These are some of the more obvious and reliable techniques of attributing malware to state-sponsored groups, but this is nowhere near an exhaustive list.
