Who is behind the Tor relay attack?

Yesterday, Tor issued a security advisory which revealed that a group of relays had been discovered on July 4th which looked like they "were trying to deanonymize users." The advisory states that the attack "involved modifying Tor protocol headers to do traffic confirmation attacks" with the relays having joined the network at the start of the year. This means they were potentially deanonymizing users between January 30th and July 4th when they were finally removed. A Tor spokesperson says that they know the attack "looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic" so no details of pages visited or whether hidden services searched for were actually visited at all for that matter. The big question, though, is whodunnit?