Look at the purported history of Stuxnet. The most comprehensive story so far comes from David Sanger - again in the NY Times - saying that it was a project started under Bush-43, continued under Obama-44, co-developed with Israel's Unit 8200. The larger story implies that the development was broken down into modules coded separately, with the programmers potentially unaware of the nature of the project. This sounds a lot like the development process of the virus in Neal Stephenson's 1992 novel Snow Crash, in which (ironically) the US Government is the contractor creating the virus for the villain. The Government was chosen as the development partner because they are the only organization paranoid enough not to trust their programmers with any "big picture" view.
Flame is a bloated beast, 20MB in size, with business logic in Lua calling compiled C++ modules. While there's nothing unusual about that structure - even large web sites are using hybrid combinations of languages like Scala and Java - it does add credence to the idea that this is code that was not written by one person, nor potentially even one organization. Flame could easily have been developed according to "Snow Crash" paranoid secret separation of information principles.
We've heard statements before about some things only being possible by government-level operations. My favorite example was when members of the l0pht testified before Congress about potentially taking down the Internet in 30 minutes. Government reaction was astonishment - they'd assumed that no private nor commercial organization had such capabilities, and had to go back and re-write their threat models.
In short: while Flame is a sophisticated toolkit for malware, it's not something that only a government could build. However, the way that it's put together is the way that a government would build it.
In researching this post, I finally found some information that hadn't been exaggerated bouncing around the media echo chamber in a BBC News article that actually quotes someone at Kaspersky Labs. Vitaly Kamluk, "chief malware expert" per the BBC, is quoted thusly:
"Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group."My reading of this statement is that Flame seems consistent, based on its actions, with something that isn't consistent with non-government malware. However, that headline won't sell news stories.
