The sophistication of the attack is pretty questionable IMO. The malware used can be purchased by anyone on the black market and had been used before by Iranian hackers in 2012. Furthermore, spearphishing emails were used to get inside the network. Furthermore, how would sophistication be evidence against a State actor with (a reported) 7,000 personnel?
There is absolutely differing levels of sophistication in cyber attacks. The presence of new exploits, clever persistence mechanisms, evidence of a staged attack involving multiple targets (i.e. attacking a company through a compromised vendor, using a certificate from a prior breach), ability to break out of security boundaries like hypervisors, custom malware, jumping of air gaps, handling of multi-factor authentication, clever use and depth of renaissance, ability to change tactics in response to detection, specialization across multiple security contexts, highly scoped and pre-planned operations; these are some things that suggest higher levels of sophistication.
Unfortunately the term is thrown around pretty loosely, limiting the usefulness of the term.
