62 Comments
Apr 1Liked by Rhea

To add on another clue this guy is not Chinese.

If his full name "Jia Cheong Tan" is real, it can never be a valid romanization of han character used in China but somewhere in southeast asia like Malaysia. The spelling "Cheong" is not being used in China now and today Chinese tends to concatenate all the characters of their first name if written in letters. e.g.

https://scholar.google.com/citations?user=mu5Y2rYAAAAJ&hl=en is "Yangqing Jia" but not "Yang Qing Jia".

Expand full comment

That's fair, but he could be Malaysian or Singaporean of Chinese ethnicity right (the word "Chinese" is overloaded so I wasn't sure if you meant in China or ethnic Chinese)? Those places have a much larger mix of Chinese from different backgrounds and not all of them use full standard pinyin for names. Both Malaysia and Singapore use UTC+8 *and* it's been pointed out before that Jia Tan may use a Singapore VPN https://boehs.org/node/everything-i-know-about-the-xz-backdoor

Expand full comment

Yeah I don't mean the ethnicity but the culture background. To be more clear I should say it is not a mainland Chinese name. Actually I don't think digging out what is behind the name is meaningful as his name and ip are by no means real for such a plot. Just to point out how superficial it is to say he is from China.

Expand full comment

Yeah that's fair enough. I guess I know "Jia Tan" is a completely meaningless made-up name too but couldn't resist lol.

Expand full comment

It could be that he decided to spell it out as a separate word because he's normally using the shorter "Jia Tan" variant, and people outside of China would think that "Jiacheng" is a totally different first name, whereas they are used to the concept of middle names which are commonly omitted.

Expand full comment

I should say it is really odd for people with EA/SEA background to do so. If I'm going to shorten my name, I wouldn't even consider omitting the middle character as an option. I also have never seen anyone did that. From my point of view it at least indicate that he could have some sort of culture background outside of east asia.

Expand full comment

Fair enough, I understand that you have a much better understanding of naming conventions in China. My comment is based on my personal experience working with many Chinese people (mostly from the mainland) in an international setting, where I've seen quite a few adapt shortened and sometimes even westernized first names. I can't speak for how and why they did it, just something I've observed. But in any case, the likelihood of this being a real name is close to zero for obvious reasons.

Expand full comment
Apr 11·edited Apr 11

Exactly. The name looks pretty weird to me. It's more likely that this comes from an attacker who has no Chinese cultural background and messed up with the fake name, rather than some Chinese attacker who tried to hide their identity and did it poorly without trying to hide time zone, but miraculously worked or tried to fake their activities by working during lunar new year. There's no middle name in Chinese culture, and the only reason that a Chinese person would use a "middle" name is to display their English name, such as San (Sam) Zhang, which is not in this case. A Chinese attacker who tries to hide their identity (except for their Chinese identity) would not put a Cantonese/Malaysian name as their "middle" name. It just doesn't make sense to me.

Expand full comment

What does tell you that "Cheong" is a part of the name? In Singlish one often uses "cheong" to mean "efficient", "forceful" (well, yes, I worked there in SG for 8 years :-)).

It could be Jia "Cheong" Tan, as simple as that.

I read somewhere that "Jia Tan" used a proxy server in Singapore to push their commits, so there is a bit of SG connection here.

Expand full comment

Cheong is a typical name use in HK, Macao, Malaysia and Singapore, mostly a Cantonese name.

So it may be 谭家昌 (Ka Cheong Tam), very typical Cantonese.

But in mainland China it should be Jia Chang Tan or Jiachang Tan, so Jia Cheong is not a common Chinese name.

Expand full comment
Apr 1Liked by Rhea

Two of the +0200 commits by Jia Tan, de5c5e4 and e446ab7a have committer Lasse Collin. These appear to have been sent by email from Jia and applied with git am. Note that these and some commits immediately before and after all have identical timestaps, which is consistent with git am of a series of patch files.

This somewhat invalidates this analysis, because you can't rely on timezone information when patches are being mailed around.

I discuss some timestamp analysis of this and other clusters of timestamps here: 18abfde18f8d1cf02a914df72b1370e3

Expand full comment
author
Apr 3·edited Apr 3Author

It seems this is true for most of Jia's +0200/+0300 commits. However, there are lots of other commits which Jia wrote and Lasse committed, where Jia's time is +0800. Overall, like you, I am not sure about which workflow would cause this.

Expand full comment
author
Apr 1Author

That's a really good point. If true, it would invalidate some of the time zone analysis (but not how well the commit times match up with UTC+2/3 work times or the holidays). We'll have a closer look at the commits you flagged.

Expand full comment

It might be worth checking with Lasse if there's anything in their workflow that might cause the timezone being changed.

There's only one commit that *wasn't* committed by Lasse where Jia shows a non-0800 timezone, shown below. Perhaps Lasse can reconstruct how that particular commit was handled.

commit 3d1fdddf92321b516d55651888b9c669e254634e

tree 83e71c2be9541e9a014127488cdba1c89be2ddac

parent b4cf7a2822e8d30eb2b12a1a07fd04383b10ade3

author Jia Tan <jiat0218@gmail.com> 1687876029 +0300

committer Jia Tan <jiat0218@gmail.com> 1687881366 +0800

Docs: Document the configure option --disable-ifunc in INSTALL.

Expand full comment

Errr, I meant to link to here: https://hachyderm.io/@joeyh/112193146103113070

Expand full comment
Apr 2Liked by Rhea

A quick analysis of 2021 holidays on Mon-Fri for countries in EEST time zone shows the following matches:

• 100% Belarus, Moldova

• 85% Ukraine

• 83% Romania

• 75% Bulgaria, Finland, Latvia

• 74% Cyprus, Madagascar, Somalia

• 72% Kenya

• 71% Eritrea, Estonia, Ethiopia, Syria

• 69% Iraq, Tanzania, Uganda

• 68% Djibouti, Lebanon, Russia, Yemen

• 67% Bahrain, Greece, Lithuania

• 66% Comoros

• 64% Jordan

• 62% Kuwait

• 61% Qatar

• 38% Israel

• 29% Türkiye

• 23% Saudi Arabia

Other countries for reference:

• 100% Poland

• 86% France, Ireland

• 82% Armenia

• 76% Georgia

• 75% United Kingdom

• 73% South Africa

• 71% Argentina, Belgium, Norway

• 70% North Korea, South Korea

• 67% Italy, Japan, Taiwan

• 65% Kazakhstan

• 64% Brazil

• 62% USA

• 61% China

• 60% Germany, Mexico, Sweden

• 59% Thailand

• 58% Albania

• 57% Singapore

• 55% South Korea

• 56% Canada

• 50% Australia, India, Mexico, North Korea, Spain

• 40% Cuba, Norway

• 38% Iran

• 32% Indonesia

Expand full comment

How did you do that analysis? Can you please do one with the 2022 holidays, since that was when they were most active?

Expand full comment
Apr 1Liked by Rhea

Your habits, are you, even if you're pretending to be not you.

Expand full comment

Your analysis is brilliant. I can confirm those "Chinese bank holidays" are real holidays in China. And it's very unlikely that a Chinese doing some Git work for 5 days consecutively during Chinese new year holidays.

Expand full comment

I used to do this lol😂 Even works from 17:00 - 4:00 next day. A KUBI Chinese freelancer progammer

Expand full comment

By the way, only mainland China has poor holidays...

Expand full comment

This is the place to discuss this backdoor incident, not the place to discuss whether holidays in mainland China are bad or not. Besides, why are you so resistant to holidays in mainland China? What do you want to express?

Expand full comment
Mar 31Liked by Rhea

nice article

Expand full comment

It could be a false flag operation. I mean, if I were a spy working for a Western agency or corporation, I would choose Jia Tian and make all my interactions appear to come from China or Russia. It does not take a genius spy or a master of disguise to do that. I also do not buy the excuse that "because it was done this way and against this asset, it cannot be X, Y, Z who did it, it must be China or Russia". That's simple-minded and somehow implies that there are lower-level ways to achieve this, which is simply not true unless you work for distinguished and sophisticated, exceptional parties.

Expand full comment

Regarding the holidays, consider Orthodox holiday dates, observed in many Eastern European countries, are not the same: https://www.timeanddate.com/holidays/type/orthodox

Expand full comment

Russian Orthodox Christmas is not on the 25th of December - it's on the 7th of January - most of Eastern Europe has that as a holiday.

Expand full comment

But he doesn't work on Jan 7 too.

Expand full comment

If you look at his GitHub graph (https://web.archive.org/web/20240329163626/https://github.com/JiaT75) you can see that he also worked on weekends. I'm afraid it will be impossible to prove your office hours hypothesis. It's not impossible that his workplace had him work on weekends, but you would have to find a country with matching office hours and where public holidays 100% match the days of his inactivity in every year. Some people in the comments were able to "prove" a certain country by cherry-picking the data, but you have to take all years into account.

Expand full comment

In mainland China, almost nobody works during the Lunar New Year holiday, especially not on January 21 and 22, 2023. These are the most important days of the year, marking Chinese New Year's Eve and the first day of the Lunar New Year. Since holidays are rare in China, no one works on these days. Also, because of the unpopular shift system, people have to work on January 28 and 29, 2023, even though they're weekends. So, if someone had to work during this holiday, they'd be working 14 days straight from January 21 to February 3, 2023. That would be a terrible experience, and I doubt anyone would want to do it.

Expand full comment

Here's a graph of just Jia Tan's commits. To me it looks like there's a very clear 12 noon UTC start time most days:

https://mastodon.social/@rvstaveren@mastodon.online/112185625762235904

Expand full comment

Wait, you're seeing a normal working day for them in +0300? When I looked at a graph of their commit times, there seemed to be a start time most days around noon UTC, which would be 9am in the *-0300* time zone.

Or 8am in the -0400 time zone, i.e. Eastern Daylight Time.

Expand full comment
Apr 1·edited Apr 1

Another evidence:

Jigar Kumar (most probably, Jia Tan's fake account used to promote himself) wrote the letter at Wed, 27 Apr 2022 11:42:57 -0700 (time is in destination server’s time zone).

https://www.mail-archive.com/xz-devel@tukaani.org/msg00555.html

But when Jia Tan replied as he-self, his email program marked “ On Thu, 28 Apr 2022 at 02:42, Jigar Kumar <jigarkuma...@protonmail.com> wrote”. It gives 15 hours time zone difference to destination mail server, that means Jia Tan replied being in +0300 time zone.

https://www.mail-archive.com/xz-devel@tukaani.org/msg00556.html

Expand full comment
Apr 2·edited Apr 2

15 hours time zone difference means that Jia was in the +0800 time zone (or at least had that timezone set on his computer): -7+15=8.

The difference between -0700 and +0300 is only 10 hours.

Expand full comment

That is correct: https://savvytime.com/converter/mst-to-eritrea-keren-awst/jan-9-2024/11-45am

top is -0700, middle is +0300, bottom is +0800

(I included a random date in the URL, because otherwise this website tries to adjust for daylight savings and it messes up the calculation)

Expand full comment

Thanks for the nice analysis but have you considered multiple people work on the account?

Expand full comment

Nice analysis! There are a few errors though. They don't significantly affect the conclusions (they might even make your case stronger), but they're confusing.

A general remark: Git timestamps show local times and local timezone offsets. To calculate UTC times from them, we have to *subtract* the timezone offset from the local time. For example, 13:00:00 +0300 means 10:00:00 UTC (*not* 16:00:00 UTC).

"Notably, on 6 Oct 2022, we see two commits, one at 21:53:09 +0300 followed by another at 17:00:38 +0800."

"followed by" is incorrect. The commit at 17:00:38 +0800 (hash 827ac5b) is older, the one at 21:53:09 +0300 (hash 6a86e81) comes after it.

Which makes sense, because 17:00:38 +0800 is 09:00:38 UTC, and 21:53:09 +0300 is 18:53:09 UTC.

"If we do the math, there is about an 11-hour difference between the two commits."

That's also incorrect. The difference is between 09:00:38 UTC and 18:53:09 UTC is 09:52:31.

"Even more damning, on Jun 27, 2023, we see the following: one commit at 23:38:32 +0800, another at 17:27:09 +0300. This is only a difference in a matter of minutes!"

"minutes" is incorrect. 23:38:32 +0800 is 15:38:32 UTC, and 17:27:09 +0300 is 14:27:09 UTC. The difference between them is 01:11:23.

Expand full comment