There was never a question that the .gov installed it. They are the ones who seized the servers and replaced the website with a page that said "Down for maintenance, come back later". That same page was the one that contained the malware. The discovery of the phoning home was interesting, and it was originally discovered to be contacting a hard-coded IP address in a block assigned to the NSA.
The discovery of the phoning home is not what implicated the .gov, it's the fact that the page they put up to replace theserver is the source of the spyware.