Actually, the attackers are unknown in concrete terms, but it requires the kind of networking access and resources possible only with something like the NSA. That means the attack is injected at the backbone server level (the dozen or so servers that provide the ultimate level of control on all worldwide Internet traffic).
Good Crypto sounds the alarm on a form of attack that simply kept most people from getting the software by intercepting the packets on their way to the downloader’s computer. As noted, neither the server nor the client were aware of the problem because the browsers they used never saw a problem. Who expects packet tampering at the backbone level?
Granted, this kind of thing has to be specifically targeted to work that well. However, it could work on a wider scale, in theory at least. The folks who run those backbone DNS servers are not going to tell the NSA “no.” This is one of the reasons some developers are working on decentralized DNS to prevent offering such a narrow point of leverage that gives bad guys control over almost everything.