They have the transmission rates which could only be attained via local access.
If you make four assumptions:
1) An office with many people in a big city had only a crappy ADSL connection and not something better. This can be checked, but the analysis you quote did not do so.
2) Both machines were set to the same timezone. This cannot be checked.
3) Both machines had their timezones set correctly for their physical location. This can be checked for only the target machine, but the analysis you quote did not do so.
4) Both machines had their clocks set correctly. This can be checked only for the target machine, but the analysis you quote did not do so.
In any case, the guy didn't do a forensic analysis, because he was not part of any law-enforcement organization. He did a technical analysis and, to my mind, a rather sloppy one. I'm not saying his conclusions were wrong but that they cannot be guaranteed to be correct.
But let's assume it was purely a local hack by an insider. You still have not shown anything to exclude the guy doing it at the behest of the Russians. Or even that he did it for other reasons and later decided to give it to the Russians (so the Russians wouldn't have instigated it but still benefited from it).
The most you have in favour of saying Russia wasn't behind it is that the NSA won't commit to being absolutely certain it was Russia.
Oh, and if rsync was installed on the target machine (it's standard with good OSes and a bolt-on with Windows), then any estimate of transmission rate could be wildly off if this was a lengthy attack and the data in the analysis applies to a final catch-up rsync.
As I have said twice already, I remain unconvinced either way. But if somebody put a gun to my head and forced me to make a bet, my money would be on Russia.