I did some of the debunking on that one
The IP addresses in question, 65.222.202.53 (for the code) and 65.222.202.54 (for the data upload) were incorrectly identified as belonging to a US government contractor, SAIC due to an error with the analysis tool used.
What happened was that DomainTools accidentally reported the entire 65.222.202.0/24 as belonging to SAIC, when actually it is a Verizon Business IP range shared with many companies. Verizon then suballocates most of the IPs to their customers, almost all of whom are based in the Washington DC or Virginia area. The error was made in good faith, and looking at the underlying data it is easy to see how it happened.
SAIC has the first few IPs, the next block belongs to some ISP, then the next to the US government. The fourth block is where the exploit is homed and the data uploaded, but the IP records don't show who it is allocated to. But analysing the rest of the range shows that it likely to be a large-ish organisation physically located in the DC/VA area.
Now.. just think about the sort of organisations that operate in that physical location. It's not as if the IP traces to an apartment block next to the bus station in Tiraspol is it?
Now, assuming that Eric Eoin Marques was the person responsible for the servers hosting the tracking code, then it doesn't take a genius to link his arrest with some agency gaining access to the server farm and adding the code. It seems highly likely that the two things are connected.
This is my debunking:
http://blog.dynamoo.com/2013/08/torsploit-is-6522220253-nsa.html
This is what is in the rest of the IP block in question:
http://blog.dynamoo.com/2013/08/what-is-65222202024.html