The existence of CIPAV has been known for five years, and its use by the FBI for more than ten. EFF obtained a description of its functionality in 2011 – it gathers user data including IP addresses, MAC addresses, various other items and information that would assist with “identifying computer users, computer software installed, [and] computer hardware installed”. It is pure spyware.
A second piece of circumstantial evidence is the location of the malware's C&C IP address. Researchers have tracked it to a block of IP addresses thought by some to be permanently assigned to the NSA. This has led to suggestions that the NSA is behind the attack – a suggestion that Wired dismisses. "The NSA’s public website, NSA.gov, is served by the same upstream Verizon network as the Tor malware command-and-control server, but that network handles tons of government agencies and contractors in the Washington DC area." Wired maintains that the FBI remains the prime suspect.
However, one mystery is that the C&C IP is so easily traced within the malware. Ars Technica, which was reporting on the assumed NSA connection, commented, "The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card." One suggestion has been, "It's psyops – a fear campaign... They want to scare folks off Tor, scare folks off all privacy services."
However, a third possibility is that the authors simply didn't expect the malware to be discovered and analyzed – after all, if it really is CIPAV, then it is the first time in ten years of use that it has actually been discovered. "The code has been used sparingly in the past," writes Wired, "which kept it from leaking out and being analyzed or added to anti-virus databases." Now that it has been found, asks Wired, does it mean that the AV companies will analyze it and start detecting CIPAV?