How can intelligence services be so sure that Russia is the culprit?
This is nearly a dupe of How do organizations check what has been hacked? While that question deals with unraveling what, you're asking about unraveling how and by whom.
What other possibilities are there to identify an attacker, when he knows his business and is hiding his IP/Info and not making stupid mistakes?
There are a lot of possibilities. There's a lot more to remaining un-attributed than "not making stupid mistakes"! it's fair to say, any APT (nation-state) actor is going to be attributed, eventually, by any nation-state level defender. National Defense gets hella more resources than, say, you trying to figure out who took advantage of your Yahoo! credentials.
If you read the list of forensic steps that can be taken, the methods of backtracking rely on all the bits of data, each of which is a small piece of the puzzle.
Data you'll start with:
- IP addresses used in the attack
- Attack tools used in the attack and left on the target servers
- Times of activity (as you say, not conclusive, but a piece of the puzzle)
To quote the bible, "By their fruit you will recognize them." The advanced hacking groups build their own specialized tools, sometimes use the same IPs to route themselves through, and show enough consistency in times of activity to offset them from other advanced groups.
Some of this stuff can get really nitty-gritty. Individual actors have been identified personally because their username was embedded in a directory that was embedded in a file compiled from source that referenced that directory. Small strings found in one set of files have been enough to tie together that attack with another that also happened to have the same signature strings.
At the national level, the people who are working to defend and investigate have access to an awful lot of puzzle pieces, and can use them to attribute actions. They may know that attack XYZ, for example, was blatantly tied to Russia, and that attack QRS has a significant overlap of indicators. Enough overlap? They conclude that QRS was also tied to Russia.
If you're interested in seeing more about how this is done, I strongly recommend reading Mandiant's "APT1: Exposing One of China's Cyber-Espionage Units"