If I were to take a stab in the dark about how the tool is doing it, though - based on their "statistical" analysis comment, my guess is they're measuring sustained traffic levels / TCP connection duration. Your average encrypted web session won't look anything similar to a command-and-control bot calling home over Tor to some irc server (which is their example usage for the tool). Possibly including "known" Tor node IP addresses, as well.

In addition, there was that Ethopian DPI filtering project against Tor that happened last summer (https://blog.torproject.org/blog/update-censorship-ethiopia), with the Tor Project thinking they'd somehow fingerprinted some aspect of their TLS handshake. Maybe this knowledge is spreading.