Presumably, the operators accessing it are using other compromised servers as proxies to connect to the C&C servers. Their initial connection from HQ is probably to an overseas VPN that has been setup by an IC shell company (shell being a front, not computer shell).
With enough investigation all of that could be tracked and disclosed. It is not impossible to track the origins of either methods of obfuscation if one is determined. Not that it's relevant because it was essentially already admitted that it was a US operation, possibly/probably in collaboration with Israelis; but that was basically obvious to all but the naive from the get-go.
