How would we know? The most notable attestation I can think of was NK-Sony, and that is dubious at best. I'll stipulate that China is behind lots of hacks, but that means attributing any particular one to them could be just a good guess.
The NK-SONY episode was undoubtedly NK or NK-sympathizers.
The malware analysis from Fireeye is a good start for this (it was a variant of malware used by NK to target SK media outlets that run negative press against the regime, was compiled with Korean character sets, and much more), but it's also true that the motive of the hack, written by the Guardians of Peace themselves, was to punish the US for the State Department and CIA's involvement in the creation of The Interview and the plans to get the movie into NK.
Curiously linguistic analysis of the Guardian of Peace messages suggest that the author was possibly Russian and variants of the malware package had also been used in an Iranian attack on US oil companies in the Middle East. (These nations are known to collaborate in malware development and tactics, tools and proceedures.)
