Nothing but speculation so far based on the times they were active. No real signatures left behind.
All we know is they were active during business hours of the UTC+1/3 timezones. They used a chinese sounding name as one of their front figures, the one who made most of the commits of malicious code. They wrote english messages that some people claim appear to be a Russian trying to write in English. But that last argument is pretty weak as they could have just masked their origin using Google translate, or even ChatGPT.
One of the biggest clues is actually one little commit that they let slip with a middle name to the chinese persona. And some people claim the names don't match up with different chinese cultures.
After that you can use all your psych 101 experience to try and analyze them but you'll just be guessing.
Personally I think using a chinese front name is a very interesting detail. They could have used any name in the world, there are open source contributors from all over the world.
Using a name in a country where most people have a very little insight is a good way of not being uncovered as fake of course. But why not use a Ugandan name? Also using a Chinese name can be perceived as pointing the blame at China, which might be sensitive geopolitically.
They also used a bunch of other fake names (Jigar Kumar, Dennis Ens) for the personas that put social pressure on the original maintainer. And the ifunc changes were done by one "Hans Jansen" who also later opened merge request to Debian. These are fairly eclectic names with no pattern, which was the point I guess. We don't know what level of misdirection is going on with the names, so "Jia Tan" is interesting but not particularly meaningful either way.
I would argue that Hans Jansen and Dennis Ens (and Jigar Kumar? I don't know about Indian perceptions of names) are a a bit off as well. They contain rhymes that make them sound slightly silly. Most parents would want to avoid these. Maybe chosen to avoid matching real people while still seeming commonplace.
So these names seem somewhat similar to "Jia Tan" in their almost-but-not-quite real quality.
Jia Cheong Tan is anagram for CIA Agent John. If you consider how much went into planning the backdoor operation, it seems virtually certain it's an internal joke.
And why an Asian name? It's certainly exploiting a psychological bias. Apart from what you noted, the names are much more generic than Ugandan names and IMO it's virtually impossible to track a legend down. And the number of OSS contributors from East Asia is much larger than from Africa. Hence a more normalized/frequent occurrence. And lastly if things start going south, some play on the r-card is always up the sleeve of PsyOps personnel.
A Chinese name is consistent with the timezone - alternatively Australia, Russia etc.
Here is my speculation.
I would look at the test framework - the attacker needs the complexity of it to hide away the attack and it is first thing he publishes - probably has been planned from the very beginning.
This is a homemade thing based on something called "Seatest".
How common is Seatest? Not that common as far as I can tell - maybe someone can correct me?
The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind
The thwarted XZ Utils supply chain attack was years in the making. Now, clues suggest nation-state hackers were behind the persona that inserted the malicious code.
...
At a glance, Jia Tan certainly looks East Asian—or is meant to. The time zone of Jia Tan’s commits are UTC+8: That’s China’s time zone, and only an hour off from North Korea’s.
Indeed. If it's nation state and years in the making then the idea of all the commit times being faked isn't a stretch.
Hell, even five-eyes (UK+AU+US+etc) could seek a linux backdoor and use Perth, Australia (GMT+8) timezones or have a submission bot in the UK that just commits at preset time from preset IP proxy.
Even if the real origin is identified, that news piece will have much less circulation that the initial suspicion that it's Chinese.
So there are also PR reasons to create a fake trail.
The best lie confirms your confirmation bias. Everybody heard about the Chinese hackers attacking US, Ugandan hackers however would raise a few eyebrows.
And from Microsoft / GitHub - who would have a lot additional information (logs, ip-adresses, use of two-factor auth etc.)? Have they made a statement?
Usually Microsoft etc. don't hold back identifying "threat actors".
Is there a US police investigation ongoing that could ask Microsoft? The target of this attack has been US firms / persons so if they report it, I assume a US police investigation would be required.
> And from Microsoft / GitHub - who would have a lot additional information (logs, ip-adresses, use of two-factor auth etc.)? Have they made a statement?
Based on a HN comment from a couple of weeks ago, by analyzing the attackers IP addresses from IRC chat logins, it seems they used a VPN service. If you think about it, it makes sense to always use VPN when doing an operation like this. So I think the ip addresses won't be of much use.
I have seen NordVPN’s response to a subpoena. Their response was that they had no records connecting an IP address at a specific date/time to any particular person.
it would be the end of their business if they did, as they have a strict no retention policy. This would mean they are lying to all their customers, so it is not going to happen.
> using a chinese front name is a very interesting detail
I have recently read that book https://www.ifitssmartitsvulnerable.com/ The author mentions a malware which at the first glance looked to originate from China (e.g. saved with Mandarin-localized MS Office) but was actually developed in Russia.
All we know is they were active during business hours of the UTC+1/3 timezones. They used a chinese sounding name as one of their front figures, the one who made most of the commits of malicious code. They wrote english messages that some people claim appear to be a Russian trying to write in English. But that last argument is pretty weak as they could have just masked their origin using Google translate, or even ChatGPT.
One of the biggest clues is actually one little commit that they let slip with a middle name to the chinese persona. And some people claim the names don't match up with different chinese cultures.
After that you can use all your psych 101 experience to try and analyze them but you'll just be guessing.
Personally I think using a chinese front name is a very interesting detail. They could have used any name in the world, there are open source contributors from all over the world.
Using a name in a country where most people have a very little insight is a good way of not being uncovered as fake of course. But why not use a Ugandan name? Also using a Chinese name can be perceived as pointing the blame at China, which might be sensitive geopolitically.