|Countries infected by Flame (SecureList 28MAY12)|
You've also wrongly simplified the scope of cyber actors out there to three when it has never been that cut and dried:
Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states. Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group.You've conveniently failed to mention an important fourth category: mercenary hacker crews - principally from Russia and the Commonwealth of Independent States - who steal IP and sell it to both corporations and governments. Crews that would love a tool like Flame and who, in my opinion, are the most likely actors involved in using such a tool. If you'd be forthcoming with more information - such as Flame's Command and Control server URLs - a lot more could be learned about who may be behind this virus.
UPDATE (31 MAY 2012): See my related article "Flame, Russia and the ITU: A Geopolitical Agenda?"