Security now video on subject of Tor anonymity starts at around 40 minutes. -http://twit.tv/show/security-now/493 Written transcript of the show can be found at -https://grc.com/sn/sn-493.txt
I think it is far more likely a much simpler form of attack is what they are using. Tor is open source anyone can examine the source code and modify it. When you connect to Tor how do you know you are connecting to a node running the proper Tor code ? Compromised entry nodes could direct traffic through an entirely fake and fully compromised Tor network. Governments could easily set up thousands of these masquerading as real Tor nodes and capture the traffic or even take down the real ones with DOS attacks to ensure users will connect to the phoney ones. This is the trouble with using internet anonymity services it always depends on trusting remote servers without ever knowing who is really in control of them or what software is really running on them.
Nine directory authorities are hard-coded into the Tor client. As I recall, the client won't connect to anything without a consensus comprising at least five of them. Each Tor client creates its own circuits, using nodes that it knows about from the directory consensus. While malicious nodes can participate, until they're removed from the directory consensus, they can't misdirect circuits from clients, except potentially to malicious clones of listed nodes. However, such malicious clones would need correct credentials, which would require compromise of the corresponding listed nodes.