There’s a large amount of evidence pointing to Russia. The tools used and a private key recovered from a box were used against Germany in a previous attack identified as perpetrated by GRU. The C&C IPs were used in other attacks. The Russians were initially fairly sloppy, so along with the software on the servers, the documents themselves include a sea of other details from the use of Cyrillic, time zones in file metadata, original metadata containing the Felix Dzerzhinsky username, the immediate cleanup of metadata once analysis pointed out the Russian source, to the attackers taking a break on a Russian holiday, along with a long string of other damning details. Every single sign points to two attackers the Russian military cyber-warfare division of the GRU and the FSB (formerly known as the KGB), and some have no other technically possible explanation.
Much of the forensic analysis that was done was by InfoSec analysts with good reputations in the field and nothing to gain (and much to lose) by fabricating - CrowdStrike, Fidelis Cybersecurity, Mandiant, SecureWorks, ThreatConnect. I’d suggest you read Crowdstrike’s analysis:
