One presumes that they are not simply looking at text stings in the code & deciding where it came from based on that. At a minimum, they can intercept packets & see where they are headed. The next step is to penetrate the shell and see where that server is getting orders/sending information. And figure out if these communications are the real path, or if the "shell" is in fact the terminus.
It took them a year and a half to reach this conclusion because they actually had to do work.