The long-con theory seems a bit more plausible at the moment
To me that's way more plausible than losing control of your account and the person who compromised it then having someone over a long time insert the backdoor that took a long time to develop and then obfuscate it.
Likely someone at GH is talking to some government agencies right now about the behavior of the private repos of that user and their associated users.
So most likely he didn't wait two years to benefit.
Or they WERE legit and simply went rogue, perhaps due to external factors.
Also nobody checked that person's id, so "Jia" is only slightly more meaningful than "ghrssbitrvii".
Unless you have some very specific cultural knowledge you could not make even vaguely useful deductions about my location, nationality, culture, ethnicity etc. from my name. I get a lot of wrong guesses though!
And some others hints at Eastern Europe, comparing the timezones. Taiwan ist still the strongest hint though.
Looking at the times of commits shouldn’t be given much value at all. A pretty pointless endeavour.
https://news.ycombinator.com/item?id=39870925
https://play.clickhouse.com/play?user=play#U0VMRUNUIHRvSG91c...
As some of the Tweet replies mentioned, they shipped releases that contained the backdoor, and committed other questionable changes at the "usual" times. For sure we're almost certainly not dealing with a compromised workstation, so I don't think that would explain the different times for the worst offending changes.
Maybe he has some technical experts/handlers/managers that had to oversee when they introduced the actual malicious changes, and thus this reflects when he got the go-ahead signal from these other people (and thus that reflects their working hours?)
Or maybe they were just travelling at that time? (maybe travelling to visit the aforementioned handlers? Or travel to visit family... even criminals have a mom and dad)
Also, keep in mind that my Clickhouse query includes all of the Github interactions (for example, timestamp of issue comments)... and unlike a Git commit timestamp, it's hard to fake those (because you'd need to schedule the posting of such comments, probably via the API. Not impossible, but easier to think that JiaT75 just used the Gitub UI to write comments), the Tweet mentions just "commit history"
Usually the simpler explanation has less chance of being wrong... thinking of some possibilities:
- Chinese/Taiwanese state actor, who employs people 9-5 (but somehow, their guy worked 20.00 - 02.00 local time)
- Chinese/Taiwanese rogue group/lone wolf... moonlighting on this exploit after their day job (given that to interact with Lasse they'd be forced to work late, this is not outside of the realm of possibilities)
- Non-Chinese state actor, employing someone 9-5 (consistent with most of the Github interactions), wanting to pin responsibility on China/Taiwan (+0800 timezone for commits), which for some unexplained reason pushed the worst offending changes at really weird times.
- Chinese/Taiwanese state actor, that wanted to pin the blame on western state actors (by making all of the changes at times compatible with someone working in Europe), and somehow they slipped up when pushing the worst offending changes.
- Chinese/Taiwanese state actor, employing someone in Europe (if they need to get approval of changes/gain the trust of the previous maintainer Lasse, it might make sense to have better/more timezone overlap)... which for some weird (yet "innocent") reason, kept the device that they worked on, configured with a +0800 timezone
- Non-Chinese state actor, pretending to be a Chinese entity that wanted to pin the blame on a western entity and slip up by making the worst offending changes at 3am (i.e. it was not a slip up, but it's part of the misdirection efforts.)
Some of these hypotheses are a bit farfetched, but reality is stranger than fiction
This is more reckless than any backdoor I can think of by a US agency . NSA backdoored Dual EC DRBG, which was extremely reckless, but this makes that look careful and that was the Zenith of NSA recklessness. The attackers here straight up just cowboy'd the joint. I can't think of any instance in which US intelligence used sock puppets on public forums and mailinglists to encourage deployment of the backdoored software and I maintain a list of NSA backdoors: https://www.ethanheilman.com/x/12/index.html
It just doesn't seem like their style.
Operation Northwoods came about because Brig. Gen. Edward Lansdale, asked the CIA to come up with a list of pretexts that might be used to justify an invasion of Cuba. This request had a number of planners at the CIA enumerate possible false flags that could be used as a pretext. One of those plans was a terror attack against US citizens. Operation Northwoods was rejected and never implemented.
The US has plans for nearly everything, but there is a massive difference between a plan that some CIA analyst is pitching and something the US is likely or even able to do. The US had all sorts of plans for how to handle a pandemic, but then when one actually happened, the plans couldn't be implemented because the US didn't actually have the capabilities the plans called for.
> example, perhaps they were planning to blame the hack of a power plant or critical infrastructure on this exploit, then use the "evidence" that was leaked to prove it was China, and from there carry out an offensive operation against Chinese infrastructure.
Backdooring OpenSSH would in no way function as a pretext for attacks on Chinese infrastructure. No one outside the tech companies cares about this. The US also doesn't need to invent hacking pretexts, you could just point to one of many exposed Chinese hacking incidents.
And if someone wanted to attack a target running on Loongson, they would certainly have to make sure the code can actually run there in the first place.
Note that it say "Fedora 41" in the CISA page link to Red Hat, but Red Hat changed the blog title to "Fedora 40" and left the HTML page title as "Fedora 41".
> knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;
