I did my own research. If you look at the git repository commit log and some mailing list messages, you will see that the author ("Jia Tan", fake name) speaks impeccable English (already lessens the chance of being a Chinese operative), however he commits in the +0800 time zone (Beijing). He works during Chinese holidays and doesn't work during Western holidays.
However, the times don't make sense: It looks like he works mostly at 2am: https://files.catbox.moe/6mdtez.png (hours in the +0800 timezone). I understand this to be indicative of using a different timezone on the computer than where he actually worked, possibly knowing that git commits include the timezone.
If you shift the timezone to US East Coast -0400, it suddenly looks like a very comfortable full-time job, including a fall in commit rate right where the lunch break should be: https://files.catbox.moe/dtvjzr.png
To me, considering that this appears to be a nation-state tier attack, heavily indicates that it was the Americans. Obviously not conclusive proof, but I think it is useful evidence.
Author: Jia Tan <jiat0218@gmail.com>
AuthorDate: Fri Jan 20 21:53:14 2023 +0800
New Years Day (Federal):
Author: Jia Tan <jiat0218@gmail.com>
AuthorDate: Mon Jan 2 22:33:48 2023 +0800
Edit: Also my graphs don't seem to match yours. Did you account for the fact that US/Eastern is -0500 part of the year? I show a spike at what would be 7 am Eastern for both author dates https://imgur.com/a/QcJy16h and commit dates https://imgur.com/a/oMsbNOh and essentially no work being done after noon.
It's a nice analysis but he misses the fact that the Eastern Europe timezone doesn't match office hours, in particular it'd mean he worked around evenings primarily (see this graph https://files.catbox.moe/4itspl.png)
I had noticed UTC+0300 commits in the repository under his name but I believed they might have been simply committed by the main Finnish maintainer who is in the UTC+0300 timezone.
> But I would like to see analysis of timestamp of GitHub events (like PRs and comments timestamps) which are harder to fake.
I doubt the git commit timestamps are faked, since actually faking them is somewhat difficult to do consistently (you would time travel frequently). I don't think there is some kind of github API for this, however from what I've seen they seem to match up with the same work timespan you see in the commit timestamps.
> I had noticed UTC+0300 commits in the repository under his name but I believed they might have been simply committed by the main Finnish maintainer who is in the UTC+0300 timezone.
There was this one though where they are the author and committer... one in +0300, the other in +0800:
commit 3d1fdddf92321b516d55651888b9c669e254634e
Author: Jia Tan <jiat0218@gmail.com>
AuthorDate: Tue Jun 27 17:27:09 2023 +0300
Commit: Jia Tan <jiat0218@gmail.com>
CommitDate: Tue Jun 27 23:56:06 2023 +0800
The time between writing the file and the commit is 89 minutes.
I literally run a git hook that fixes my commit times so I don’t look like a freak to my coworkers making commits at 3am, I think an actor of this caliber would too, so I would bet the git commit times are highly choreographed.
FYI, the Australian comment is wrong, WA (which uses UTC+8) does not DST (there's a party to add it, and multiple referenda which failed to add it), given ASIS is in Canberra (as far as we know ;)), it probably wasn't them.
> He works during Chinese holidays and doesn't work during Western holidays.
“Western Holidays”, as if that is a coherent, cross-nationally consistent set.
Other than the fact that you specific suggestion of it being American makes little sense based in this sibce its not accurate construed as American holidays, this phrasing is bizarre in this context.
and then processed it a bit with gnuplot. Should not be difficult to reproduce this graph, but I am not too much of a gnuplot wizard so I first preprocessed this into some different files in a REPL. Don't have the full code of what I did but it should not be difficult to reproduce, just parse the dates and look at the hours.
