Her own government, or a foreign government?
For her own government, assuming she has access to the appropriate information, she could recognize a lot of things about the attack, like C&C servers as mentioned, but also 0days she knows only her state has access to, payloads or monitoring systems that have a signature she would recognize, or similar.
A foreign government would be basically rumor. You'd recognize it by the same things, but how do you know which government? The answer is that if you have a state-level cyberattack on a bank in Moldova, you probably know who did it, and then when you see other attacks with the same features, you can conclude it's probably the same state.
Note that while you could do something like access C&C over Tor, that practice would be identifying of the governments that used Tor to hide C&C server addresses. Maybe the US does this, but China doesn't.