Not only that, but AFAIK it’s not that hard to fake access from an arbitrary IP address if you have control of any router on the path.
Which could mean the NSA, working with somebody in the US who faked the original Guccifer 2.0 account.
Or it could mean some hacker in Europe (Ukraine maybe?) who’d taken control of a router there.
And, of course, some NSA hacker could have simply faked the whole record (of the contact that “forgot” the VPN) up. Given the incompetence demonstrated in Dec. ’16 and Jan. ’17 with their public releases, this can’t be ruled out.
Frankly, I’d say the odds are on a Ukrainian hacker. Or Iranian. But a “Deep State” false flag can’t be ruled out.
Update: The Wired story on the slip-up, dated 03/25/18 makes this exact point: