[matt_wulfeck]

The author appears to run "strings" on the binaries and then goes on to shoot a few theories in the dark:

> The developers of the malware are leading experts in the area of Linux, Network and Security development.

> They were discovered and not trained.

> Because the archive contains a collection of applications, the calculated result-set is reasonable small for further investigations.

[drvdevd]

Also:

> LinkedIn will show you the professional discipline, GitHub the shared libraries and their publicity.

I would guess that NSA has a firm grasp on this sort of basic OSINT problem and code attribution techniques.

[wjnc]

Retroactively scrubbing a programmers published work and social media participance is a red flag in itself.

[dogma1138]

Indeed from what we also know or is suspected at least this is a group which is external to the NSA.

It could consist of former NSA employees and military personnel but it's not clear if this is a fully sanctioned group or just really good hackers for hire.

[lostboys67]

Like many NSA or GCHQ developers will have a public account on github