CISA (https://cisa.gov) are investigating. They got the emails between me and "Jia Tan" and other information we have. They can subpoena Google to get IP addresses behind the emails, but it depends on whether and where a VPN was used if they'll get any further than that. If we will ever see a fully public report is anyone's guess.
If it's a state actor, it's not unreasonable to think they'd spin up their own VPN
All you need a Raspberry Pi and some public Wi-Fi network to create a jump point and hide among the 100s of devices going on and off that one public IP. With projects like TailScale you could set it up and plant it somewhere in a matter of hours
If it is a state actor like China or North Korea, they own the gateways and firewalls and can ensure any traffic they do not want to be identified ever will be.
I also recently wrote a single ephemeral socks5 proxy over a hidden service in Rust. Since they’ve probably compromised other machines in the past, they could’ve easily used something similar to proxy their connection through tor and to some random computer (access some vulnerable router through tor, proxy through it, etc).
Hiding your tracks aren’t hard
Nothing but speculation so far based on the times they were active. No real signatures left behind.
All we know is they were active during business hours of the UTC+1/3 timezones. They used a chinese sounding name as one of their front figures, the one who made most of the commits of malicious code. They wrote english messages that some people claim appear to be a Russian trying to write in English. But that last argument is pretty weak as they could have just masked their origin using Google translate, or even ChatGPT.
One of the biggest clues is actually one little commit that they let slip with a middle name to the chinese persona. And some people claim the names don't match up with different chinese cultures.
After that you can use all your psych 101 experience to try and analyze them but you'll just be guessing.
Personally I think using a chinese front name is a very interesting detail. They could have used any name in the world, there are open source contributors from all over the world.
Using a name in a country where most people have a very little insight is a good way of not being uncovered as fake of course. But why not use a Ugandan name? Also using a Chinese name can be perceived as pointing the blame at China, which might be sensitive geopolitically.
They also used a bunch of other fake names (Jigar Kumar, Dennis Ens) for the personas that put social pressure on the original maintainer. And the ifunc changes were done by one "Hans Jansen" who also later opened merge request to Debian. These are fairly eclectic names with no pattern, which was the point I guess. We don't know what level of misdirection is going on with the names, so "Jia Tan" is interesting but not particularly meaningful either way.
I would argue that Hans Jansen and Dennis Ens (and Jigar Kumar? I don't know about Indian perceptions of names) are a a bit off as well. They contain rhymes that make them sound slightly silly. Most parents would want to avoid these. Maybe chosen to avoid matching real people while still seeming commonplace.
So these names seem somewhat similar to "Jia Tan" in their almost-but-not-quite real quality.
Jia Cheong Tan is anagram for CIA Agent John. If you consider how much went into planning the backdoor operation, it seems virtually certain it's an internal joke.
And why an Asian name? It's certainly exploiting a psychological bias. Apart from what you noted, the names are much more generic than Ugandan names and IMO it's virtually impossible to track a legend down. And the number of OSS contributors from East Asia is much larger than from Africa. Hence a more normalized/frequent occurrence. And lastly if things start going south, some play on the r-card is always up the sleeve of PsyOps personnel.
A Chinese name is consistent with the timezone - alternatively Australia, Russia etc.
Here is my speculation.
I would look at the test framework - the attacker needs the complexity of it to hide away the attack and it is first thing he publishes - probably has been planned from the very beginning.
This is a homemade thing based on something called "Seatest".
How common is Seatest? Not that common as far as I can tell - maybe someone can correct me?
The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind
The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.
...
At a glance, Jia Tan certainly looks East Asian—or is meant to. The time zone of Jia Tan’s commits are UTC+8: That’s China’s time zone, and only an hour off from North Korea’s.
Indeed. If it's nation state and years in the making then the idea of all the commit times being faked isn't a stretch.
Hell, even five-eyes (UK+AU+US+etc) could seek a linux backdoor and use Perth, Australia (GMT+8) timezones or have a submission bot in the UK that just commits at preset time from preset IP proxy.
Even if the real origin is identified, that news piece will have much less circulation that the initial suspicion that it's Chinese.
So there are also PR reasons to create a fake trail.
The best lie confirms your confirmation bias. Everybody heard about the Chinese hackers attacking US, Ugandan hackers however would raise a few eyebrows.
And from Microsoft / GitHub - who would have a lot additional information (logs, ip-adresses, use of two-factor auth etc.)? Have they made a statement?
Usually Microsoft etc. don't hold back identifying "threat actors".
Is there a US police investigation ongoing that could ask Microsoft? The target of this attack has been US firms / persons so if they report it, I assume a US police investigation would be required.
> And from Microsoft / GitHub - who would have a lot additional information (logs, ip-adresses, use of two-factor auth etc.)? Have they made a statement?
Based on a HN comment from a couple of weeks ago, by analyzing the attackers IP addresses from IRC chat logins, it seems they used a VPN service. If you think about it, it makes sense to always use VPN when doing an operation like this. So I think the ip addresses won't be of much use.
I have seen NordVPN’s response to a subpoena. Their response was that they had no records connecting an IP address at a specific date/time to any particular person.
it would be the end of their business if they did, as they have a strict no retention policy. This would mean they are lying to all their customers, so it is not going to happen.
> using a chinese front name is a very interesting detail
I have recently read that book https://www.ifitssmartitsvulnerable.com/ The author mentions a malware which at the first glance looked to originate from China (e.g. saved with Mandarin-localized MS Office) but was actually developed in Russia.
Is there anyone who have made complication on the most famous (searched by the whole world) anonymous people. No 1 must be Satoshi Nakamoto, and No 2 maybe this one? Is there any others?
Satoshi disappeared one day before Gavin went to the CIA for a Bitcoin presentation. He left the CAlert key and disappeared.
I learned about Bitcoin either days prior or days later. As a newbie I did not care who created Bitcoin, but now I regret not knowing and speaking with him directly.
I thought it is established by now Paul Le Roux is almost certainly Satoshi. He had the motivation (money laundering), the cryptography knowledge and him never moving his coins after they became quite valuable is easily explained by the fact he is in prison. As far as I am aware there is no one else for whom all three would be present.
Whoever Satoshi Nakamoto is, once he (she?) moves the coins they become the target of lots of criminal enterprises. Those bitcoins make them a VERY rich person and draws a very bright target on their back. Maybe they just prefer not having to deal with this?
I remember reading the article proposing this and I seem to remember some pretty big differences in coding style (TrueCrypt vs. Bitcoin) and assumed development platform. I'm not convinced tbh
