How is the U.S. government able know where hacks originate from?There is a well-known technique in SIGINT called traffic analysis, which lets us know a lot about where stuff came from without actually seeing the content, though we can infer that it must be true.
For example, at one time, the entrance exam for the NSA included a traffic log of communications between a set of 4 islands without identifying who was on what island and what they where doing.
Your job was to identify which islands were at war with other islands, determining the military and political headquarters of each "nation", where the troops were, where various battles had taken place, etc.
This was based 100% on who called whom, for how long and no other data. The NSA and other intelligence agencies have been at this for a very long time, and they know how to--literally--pull information out of thin air, knowing that it is correct.