How do they deduce that the attackers are North Korean? From my reading I think it’s because of how the exploit is written. Is there any other evidence that I missed?
From the evidence given, it’s very flimsy: the code was similar to previous NK attacks, but generally once an attack has been used a few times the exploit code will be copied by a load of other people. That said, from conversations with folks on that team on other topics, they have a lot of data from network bits that Google controls that may give them a better picture. They are generally very hesitant to disclose anything that they use for attribution because it helps the attacker avoid it next time. Unfortunately, from the perspective of someone on the outside, this is indistinguishable from their just making it up.