Since when does it take more than a month to find the origin of an attack? We've seen the capabilities of the NSA, and I'd bet they've already made grounds infiltrating NK computer networks in the past. If the perpetrator was sloppy (e.g. forgetting to use a VPN once or something), it would make it even easier.
As you said, NSA may have infiltrated NK computer networks, which means NSA and other organizations which had infiltrated NK computer networks can use compromised computers in NK as tools for hacking activities, hiding their real identities. Considering many other possibilities like this, it is hard to trace the real origin of the attacks.
