This report in The Intercept does a good job of explaining possible ways that evidence was collected. Keep in mind that the indictments handed out by the U.S. DoJ are literally a set of accusations – the indictments do not present the evidence. Evidence would be presented at a trial.
The indictment has a surprising amount of technical information and presents the most detailed and plausible pictures of the Russian cyberattacks so far.
There is also an argument (not presented in the story) that prosecutors know there will never be a trial. Consequently, an indictment, such as that made by the DoJ, can serve as political or propaganda tool to shape public perception. The DoJ can make accusations – which many if not most news reports are reporting as confirmation of actions. But accusations are not necessarily facts until a Court determines that the accusations are true or false based on evidence. However, since those charged are all in Russia, there will likely never be a trial. The effect is that these accusations are mutated into (unproven) facts.
The accusations may be true – or they could be false. We will never know. But we will have our opinions formed by media reports, which are already reporting on this topic as if the accusations are true.