They've set up honeypots (propably on client facilities) that report back. Then it's just statistical analisys. I have a hunch that they're just dumping all connections on the map for it to look impressive. Though it is also possible that the connections are automatically catagorized as 'suspicious' and 'not suspicious', and that map is reporting only ones that look suspicious.
They first need to figure out if a ddos is a legit high number of users or really a ddos attack before they can call it a cyber attack anyway
There exists other attacks other then dos attacks.