They’ve been around for a while and identified by several governments.
“NOBELIUM is an advanced persistent threat group also known as APT29, which is publicly attributed to the Russian government and specifically to the Foreign Intelligence Service of the Russian Federation (SVR)”
It still doesn't answer how they know that: 1) they were hacked by that exact group 2) that group is sponsored by the Russian government.
The only evidence I've seen before in cases like this one was that they found that the hacks happened during Russia's working hours (i.e. Moscow timezone), and that they found some word in Cyrillic in some of the shell scripts. Which is honestly not hard to pull off if you want to hide your true identity. Not saying Russia is not interested in those hacks, but a lot of far-reaching conclusions are often quickly made based on such weak assumptions.
I am not going to go read every MS blog on this group to find the original attribution, but generally it is from reusing infrastructure associated with a government (often even more specifically, a branch of government). IP addresses, correlated email accounts, domains, who they have targeted in the past, code ties between the malware they use, etc. These indicators can be paired with government releases (CISA) or made independently for attribution.
Say some specific infrastructure is used to hack a law firm involved in prosecuting Russia for war crimes in Ukraine. Then that same infra is used to send disinfo targeting Ukrainian groups. Then the some distinct malware used in those attacks is also used to wipe machines in the Ukraine conflict. There are full time groups that track these indicators to tie one attack to another and distinguish groups. This group is likely the SVR.
The US government publicly named this group as a Russian government tool in a diplomatic announcement kicking out multiple Russian embassy employees in 2021. This is linked as a footnote as the citation for this claim made in the article I shared above.
>Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium.