• psmgx@lemmy.world
    link
    fedilink
    English
    arrow-up
    36
    arrow-down
    3
    ·
    9 months ago

    Sounds like a concerted effort by a reasonably competent state actor. The +0800 timezone offset implies parts of Asia and is a small but crucial detail, esp given the commit times. In other words, China, Malaysia, Korea, etc. – somewhere in Asia.

    OTOH the author even concedes identity theft or smart attempts to discredit and point at Asia. Still, is on par for Chinese and NK actors.

    • sugar_in_your_tea
      link
      fedilink
      English
      arrow-up
      28
      arrow-down
      5
      ·
      edit-2
      9 months ago

      It could also be the opposite, someone trying to act like one of the Asian countries. The article lists the UTC times for the commits at 12-17, which would correspond to 8AM-1PM EST or 5-10AM PDT. That also could be fudged, or it could be a relatively new US spook working primarily in the mornings. Or if it’s someone in Asia, that’s 8PM-1AM, which is the perfect time for an evening hacker.

      It’s really not clear who’s behind it.

      I’m guessing an independent hacker in Asia because a state actor would probably just exploit existing bugs instead of adding new ones, and they certainly wouldn’t do something as obvious as “safe_fprintf -> fprintf.” I’m guessing this is all one individual trying to create business for themselves.

    • mwguy@infosec.pub
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      In other words, China, Malaysia, Korea, etc. – somewhere in Asia.

      The Shadow Broker’s leaks showed that state actors had whole tool suites to ensure that the product appeared like it was coming from a different location. Given that those tools have been leaked since 2016 and the concept is even older; relying on metadata like timezones, character set, etc… to make determinations about location is unreliable at best.