Basing this stuff on email times (especially replies to emails sent that same day) would be more relevant. However. if this operation was pulled off with the precision and opsec that it seems to have been, I wouldn't be too surprised if whatever group is behind this attack would've sent over + funded a developer somewhere in a time zone of their choice.
No doubt any nation state is able to station someone in Russia/Israel/one of the n-eyes countries.
I doubt OSINT will figure out who is really behind this, but I'm sure governments will, soon enough. Whether or not they report the truth of their findings, and if one should trust the official reporting, is yet another tough question.
That activity look 100% to be from a paid employee to me. He works in the morning and does git maintenance in the afternoon like clockwork... Between 12 and 18... It might also have been multiple employee.
He didn't work on Christmas or new year eve which is extremely telling...
The last commit in December is on the 21st, so I'm not sure how much can be read into it.
But note that he comes back next year on the 5th, then disappears for 6th and 7th, and comes back at 8th. 7th is the old-style Eastern Orthodox Christmas, as celebrated in e.g. Russia, Serbia, and Georgia, and 6th is therefore the Christmas Eve. Although in Russia official holidays are the entire week from January, 1 to January, 8 inclusive... still, for this kind of work I wouldn't expect them to stick to the letter of the law there.
The git timestamps in the git commits probably were faked, but they implicate China. There were a handful of apparent slippups though, and if we take those timestamps to be correct then it looks like they were in eastern Europe (or possibly Finland, the Baltics, or the Mediterranean coast all the way down to Egypt). And if we instead assume that these timestamps are a second–level misdirection then there is a huge complexity penalty; my money is on the simpler answer (but not all my money; it’s not a sure bet).
I like to think that the performance issue in the exploit was actually an exploit of an exploit, a counterintelligence act, by some "good samaritan" :D
Thanks, i was wondering about this since day 0 and was too lazy to look it up. Yes it can be spoofed, but I imagine a good chunk of day-to-day is work is semi-interactive, which would make it preferable to have the attacker be in the same tz as the victims. Anyone know what tz Lasse was at? If not (eg he’s in the US), then I’d say Occam’s razor that the attacker is working those UTC 10-18 office hours without extra steps. Tz proves nothing and for a 3y low-intensity operation I’d just assume the attacker won’t introduce that much friction only to mislead. I’m sure there are much stronger signals in the investigation work that’s going on now. Unfortunately, given the hush-hush-by-default nature of our beloved intel agencies, we’ll probably never know.
I don't think Github activity logs can be spoofed - of course activity can consciously been done in a certain time zone, but that's different from spoofing timestamps in git commits. See https://news.ycombinator.com/edit?id=39905376 for the full histogram, it shows a rather narrow time distribution between 12-16 UTC - not really natural at all if you ask me.
