Re: Okay, honest question...
I think its Chinese after reading the Kaspersky technical paper on it, since none of the C&C servers they've seen are in China, but there is one in Taiwan, one in Brussels, and two in India. It makes it easy to claim NATO's doing it, especially with samples coming from Afghanistan and Iran. A little too easy I'd figure. Especially since there are no known samples from anywhere China may want to fuck with a little, like Taiwan, Vietnam, the Philippines, Japan, Russia, South Korea and the DPRK government, the US and the vast majority of NATO, etc. Its a little too convenient for my liking.
It could also be France, all of the countries that submitted samples are of an interest of France, and one country is very noticeably absent from the list, Iraq. France gives fuck all about Iraq. It was never their problem except when they were selling Saddam Hussein nuclear technology and nerve gas. I'd be interested to know if any of the European microstates have infections, especially Monaco.
However, it might be five eyes and with Fiji and Kiribati being targeted its sort of easy to believe (I believe New Zealand has responsibility for them) but then again, its a little too obvious for anyone involved with UKUSA, especially with cryptonyms in the Virtual File Systems. NSA/CSS and I'm presuming GCHQ would strip it out. Also whoever it is isn't very familiar with UKUSA classification levels, because one of them looks like it is labeled as Unclassified just before a supposed cryptonym.