If his full name "Jia Cheong Tan" is real, it can never be a valid romanization of han character used in China but somewhere in southeast asia like Malaysia. The spelling "Cheong" is not being used in China now and today Chinese tends to concatenate all the characters of their first name if written in letters. e.g.
That's fair, but he could be Malaysian or Singaporean of Chinese ethnicity right (the word "Chinese" is overloaded so I wasn't sure if you meant in China or ethnic Chinese)? Those places have a much larger mix of Chinese from different backgrounds and not all of them use full standard pinyin for names. Both Malaysia and Singapore use UTC+8 *and* it's been pointed out before that Jia Tan may use a Singapore VPN https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Yeah I don't mean the ethnicity but the culture background. To be more clear I should say it is not a mainland Chinese name. Actually I don't think digging out what is behind the name is meaningful as his name and ip are by no means real for such a plot. Just to point out how superficial it is to say he is from China.
It could be that he decided to spell it out as a separate word because he's normally using the shorter "Jia Tan" variant, and people outside of China would think that "Jiacheng" is a totally different first name, whereas they are used to the concept of middle names which are commonly omitted.
I should say it is really odd for people with EA/SEA background to do so. If I'm going to shorten my name, I wouldn't even consider omitting the middle character as an option. I also have never seen anyone did that. From my point of view it at least indicate that he could have some sort of culture background outside of east asia.
Fair enough, I understand that you have a much better understanding of naming conventions in China. My comment is based on my personal experience working with many Chinese people (mostly from the mainland) in an international setting, where I've seen quite a few adapt shortened and sometimes even westernized first names. I can't speak for how and why they did it, just something I've observed. But in any case, the likelihood of this being a real name is close to zero for obvious reasons.
Exactly. The name looks pretty weird to me. It's more likely that this comes from an attacker who has no Chinese cultural background and messed up with the fake name, rather than some Chinese attacker who tried to hide their identity and did it poorly without trying to hide time zone, but miraculously worked or tried to fake their activities by working during lunar new year. There's no middle name in Chinese culture, and the only reason that a Chinese person would use a "middle" name is to display their English name, such as San (Sam) Zhang, which is not in this case. A Chinese attacker who tries to hide their identity (except for their Chinese identity) would not put a Cantonese/Malaysian name as their "middle" name. It just doesn't make sense to me.
What does tell you that "Cheong" is a part of the name? In Singlish one often uses "cheong" to mean "efficient", "forceful" (well, yes, I worked there in SG for 8 years :-)).
It could be Jia "Cheong" Tan, as simple as that.
I read somewhere that "Jia Tan" used a proxy server in Singapore to push their commits, so there is a bit of SG connection here.
Two of the +0200 commits by Jia Tan, de5c5e4 and e446ab7a have committer Lasse Collin. These appear to have been sent by email from Jia and applied with git am. Note that these and some commits immediately before and after all have identical timestaps, which is consistent with git am of a series of patch files.
This somewhat invalidates this analysis, because you can't rely on timezone information when patches are being mailed around.
I discuss some timestamp analysis of this and other clusters of timestamps here: 18abfde18f8d1cf02a914df72b1370e3
It seems this is true for most of Jia's +0200/+0300 commits. However, there are lots of other commits which Jia wrote and Lasse committed, where Jia's time is +0800. Overall, like you, I am not sure about which workflow would cause this.
That's a really good point. If true, it would invalidate some of the time zone analysis (but not how well the commit times match up with UTC+2/3 work times or the holidays). We'll have a closer look at the commits you flagged.
It might be worth checking with Lasse if there's anything in their workflow that might cause the timezone being changed.
There's only one commit that *wasn't* committed by Lasse where Jia shows a non-0800 timezone, shown below. Perhaps Lasse can reconstruct how that particular commit was handled.
Your analysis is brilliant. I can confirm those "Chinese bank holidays" are real holidays in China. And it's very unlikely that a Chinese doing some Git work for 5 days consecutively during Chinese new year holidays.
This is the place to discuss this backdoor incident, not the place to discuss whether holidays in mainland China are bad or not. Besides, why are you so resistant to holidays in mainland China? What do you want to express?
It could be a false flag operation. I mean, if I were a spy working for a Western agency or corporation, I would choose Jia Tian and make all my interactions appear to come from China or Russia. It does not take a genius spy or a master of disguise to do that. I also do not buy the excuse that "because it was done this way and against this asset, it cannot be X, Y, Z who did it, it must be China or Russia". That's simple-minded and somehow implies that there are lower-level ways to achieve this, which is simply not true unless you work for distinguished and sophisticated, exceptional parties.
If you look at his GitHub graph (https://web.archive.org/web/20240329163626/https://github.com/JiaT75) you can see that he also worked on weekends. I'm afraid it will be impossible to prove your office hours hypothesis. It's not impossible that his workplace had him work on weekends, but you would have to find a country with matching office hours and where public holidays 100% match the days of his inactivity in every year. Some people in the comments were able to "prove" a certain country by cherry-picking the data, but you have to take all years into account.
In mainland China, almost nobody works during the Lunar New Year holiday, especially not on January 21 and 22, 2023. These are the most important days of the year, marking Chinese New Year's Eve and the first day of the Lunar New Year. Since holidays are rare in China, no one works on these days. Also, because of the unpopular shift system, people have to work on January 28 and 29, 2023, even though they're weekends. So, if someone had to work during this holiday, they'd be working 14 days straight from January 21 to February 3, 2023. That would be a terrible experience, and I doubt anyone would want to do it.
Wait, you're seeing a normal working day for them in +0300? When I looked at a graph of their commit times, there seemed to be a start time most days around noon UTC, which would be 9am in the *-0300* time zone.
Or 8am in the -0400 time zone, i.e. Eastern Daylight Time.
Jigar Kumar (most probably, Jia Tan's fake account used to promote himself) wrote the letter at Wed, 27 Apr 2022 11:42:57 -0700 (time is in destination server’s time zone).
But when Jia Tan replied as he-self, his email program marked “ On Thu, 28 Apr 2022 at 02:42, Jigar Kumar <jigarkuma...@protonmail.com> wrote”. It gives 15 hours time zone difference to destination mail server, that means Jia Tan replied being in +0300 time zone.
December, 25 in 2021-2023 was on Saturday, Sunday or Monday so it should not signal regular Christmas celebration, given that most commits were made on Tue-Fri.
I have a feeling that somehow Cyprus and Russia might be connected in this case. You see, the regular Christmas is celebrated on Dec 25, although the Orthodox one is on Jan 7. After the Russia/Ukraine war started, a notable amount of high-tech companies relocated their employees from Russia to Cyprus for you know, various reasons. Sometimes these companies give an ability to celebrate important holidays from both of the countries in the new location. Obviously, I don't think the Greeks themselves could be the case but given the Cyprus/Russia relations this could explain the timezone changes.
And someone mentioned Jan 13 being a notable day in Russia. Safe to say, it's not, if none of the commits have been posted at this day in any year, it's just a coincidence.
But just FYI, the first 8-10 days of January are bank holidays in Russia each year.
To add on another clue this guy is not Chinese.
If his full name "Jia Cheong Tan" is real, it can never be a valid romanization of han character used in China but somewhere in southeast asia like Malaysia. The spelling "Cheong" is not being used in China now and today Chinese tends to concatenate all the characters of their first name if written in letters. e.g.
https://scholar.google.com/citations?user=mu5Y2rYAAAAJ&hl=en is "Yangqing Jia" but not "Yang Qing Jia".
That's fair, but he could be Malaysian or Singaporean of Chinese ethnicity right (the word "Chinese" is overloaded so I wasn't sure if you meant in China or ethnic Chinese)? Those places have a much larger mix of Chinese from different backgrounds and not all of them use full standard pinyin for names. Both Malaysia and Singapore use UTC+8 *and* it's been pointed out before that Jia Tan may use a Singapore VPN https://boehs.org/node/everything-i-know-about-the-xz-backdoor
Yeah I don't mean the ethnicity but the culture background. To be more clear I should say it is not a mainland Chinese name. Actually I don't think digging out what is behind the name is meaningful as his name and ip are by no means real for such a plot. Just to point out how superficial it is to say he is from China.
Yeah that's fair enough. I guess I know "Jia Tan" is a completely meaningless made-up name too but couldn't resist lol.
It could be that he decided to spell it out as a separate word because he's normally using the shorter "Jia Tan" variant, and people outside of China would think that "Jiacheng" is a totally different first name, whereas they are used to the concept of middle names which are commonly omitted.
I should say it is really odd for people with EA/SEA background to do so. If I'm going to shorten my name, I wouldn't even consider omitting the middle character as an option. I also have never seen anyone did that. From my point of view it at least indicate that he could have some sort of culture background outside of east asia.
Fair enough, I understand that you have a much better understanding of naming conventions in China. My comment is based on my personal experience working with many Chinese people (mostly from the mainland) in an international setting, where I've seen quite a few adapt shortened and sometimes even westernized first names. I can't speak for how and why they did it, just something I've observed. But in any case, the likelihood of this being a real name is close to zero for obvious reasons.
Exactly. The name looks pretty weird to me. It's more likely that this comes from an attacker who has no Chinese cultural background and messed up with the fake name, rather than some Chinese attacker who tried to hide their identity and did it poorly without trying to hide time zone, but miraculously worked or tried to fake their activities by working during lunar new year. There's no middle name in Chinese culture, and the only reason that a Chinese person would use a "middle" name is to display their English name, such as San (Sam) Zhang, which is not in this case. A Chinese attacker who tries to hide their identity (except for their Chinese identity) would not put a Cantonese/Malaysian name as their "middle" name. It just doesn't make sense to me.
What does tell you that "Cheong" is a part of the name? In Singlish one often uses "cheong" to mean "efficient", "forceful" (well, yes, I worked there in SG for 8 years :-)).
It could be Jia "Cheong" Tan, as simple as that.
I read somewhere that "Jia Tan" used a proxy server in Singapore to push their commits, so there is a bit of SG connection here.
Cheong is a typical name use in HK, Macao, Malaysia and Singapore, mostly a Cantonese name.
So it may be 谭家昌 (Ka Cheong Tam), very typical Cantonese.
But in mainland China it should be Jia Chang Tan or Jiachang Tan, so Jia Cheong is not a common Chinese name.
Two of the +0200 commits by Jia Tan, de5c5e4 and e446ab7a have committer Lasse Collin. These appear to have been sent by email from Jia and applied with git am. Note that these and some commits immediately before and after all have identical timestaps, which is consistent with git am of a series of patch files.
This somewhat invalidates this analysis, because you can't rely on timezone information when patches are being mailed around.
I discuss some timestamp analysis of this and other clusters of timestamps here: 18abfde18f8d1cf02a914df72b1370e3
It seems this is true for most of Jia's +0200/+0300 commits. However, there are lots of other commits which Jia wrote and Lasse committed, where Jia's time is +0800. Overall, like you, I am not sure about which workflow would cause this.
That's a really good point. If true, it would invalidate some of the time zone analysis (but not how well the commit times match up with UTC+2/3 work times or the holidays). We'll have a closer look at the commits you flagged.
It might be worth checking with Lasse if there's anything in their workflow that might cause the timezone being changed.
There's only one commit that *wasn't* committed by Lasse where Jia shows a non-0800 timezone, shown below. Perhaps Lasse can reconstruct how that particular commit was handled.
commit 3d1fdddf92321b516d55651888b9c669e254634e
tree 83e71c2be9541e9a014127488cdba1c89be2ddac
parent b4cf7a2822e8d30eb2b12a1a07fd04383b10ade3
author Jia Tan <jiat0218@gmail.com> 1687876029 +0300
committer Jia Tan <jiat0218@gmail.com> 1687881366 +0800
Docs: Document the configure option --disable-ifunc in INSTALL.
Errr, I meant to link to here: https://hachyderm.io/@joeyh/112193146103113070
A quick analysis of 2021 holidays on Mon-Fri for countries in EEST time zone shows the following matches:
• 100% Belarus, Moldova
• 85% Ukraine
• 83% Romania
• 75% Bulgaria, Finland, Latvia
• 74% Cyprus, Madagascar, Somalia
• 72% Kenya
• 71% Eritrea, Estonia, Ethiopia, Syria
• 69% Iraq, Tanzania, Uganda
• 68% Djibouti, Lebanon, Russia, Yemen
• 67% Bahrain, Greece, Lithuania
• 66% Comoros
• 64% Jordan
• 62% Kuwait
• 61% Qatar
• 38% Israel
• 29% Türkiye
• 23% Saudi Arabia
Other countries for reference:
• 100% Poland
• 86% France, Ireland
• 82% Armenia
• 76% Georgia
• 75% United Kingdom
• 73% South Africa
• 71% Argentina, Belgium, Norway
• 70% North Korea, South Korea
• 67% Italy, Japan, Taiwan
• 65% Kazakhstan
• 64% Brazil
• 62% USA
• 61% China
• 60% Germany, Mexico, Sweden
• 59% Thailand
• 58% Albania
• 57% Singapore
• 55% South Korea
• 56% Canada
• 50% Australia, India, Mexico, North Korea, Spain
• 40% Cuba, Norway
• 38% Iran
• 32% Indonesia
How did you do that analysis? Can you please do one with the 2022 holidays, since that was when they were most active?
Your habits, are you, even if you're pretending to be not you.
Your analysis is brilliant. I can confirm those "Chinese bank holidays" are real holidays in China. And it's very unlikely that a Chinese doing some Git work for 5 days consecutively during Chinese new year holidays.
I used to do this lol😂 Even works from 17:00 - 4:00 next day. A KUBI Chinese freelancer progammer
By the way, only mainland China has poor holidays...
This is the place to discuss this backdoor incident, not the place to discuss whether holidays in mainland China are bad or not. Besides, why are you so resistant to holidays in mainland China? What do you want to express?
nice article
It could be a false flag operation. I mean, if I were a spy working for a Western agency or corporation, I would choose Jia Tian and make all my interactions appear to come from China or Russia. It does not take a genius spy or a master of disguise to do that. I also do not buy the excuse that "because it was done this way and against this asset, it cannot be X, Y, Z who did it, it must be China or Russia". That's simple-minded and somehow implies that there are lower-level ways to achieve this, which is simply not true unless you work for distinguished and sophisticated, exceptional parties.
Regarding the holidays, consider Orthodox holiday dates, observed in many Eastern European countries, are not the same: https://www.timeanddate.com/holidays/type/orthodox
Russian Orthodox Christmas is not on the 25th of December - it's on the 7th of January - most of Eastern Europe has that as a holiday.
But he doesn't work on Jan 7 too.
If you look at his GitHub graph (https://web.archive.org/web/20240329163626/https://github.com/JiaT75) you can see that he also worked on weekends. I'm afraid it will be impossible to prove your office hours hypothesis. It's not impossible that his workplace had him work on weekends, but you would have to find a country with matching office hours and where public holidays 100% match the days of his inactivity in every year. Some people in the comments were able to "prove" a certain country by cherry-picking the data, but you have to take all years into account.
In mainland China, almost nobody works during the Lunar New Year holiday, especially not on January 21 and 22, 2023. These are the most important days of the year, marking Chinese New Year's Eve and the first day of the Lunar New Year. Since holidays are rare in China, no one works on these days. Also, because of the unpopular shift system, people have to work on January 28 and 29, 2023, even though they're weekends. So, if someone had to work during this holiday, they'd be working 14 days straight from January 21 to February 3, 2023. That would be a terrible experience, and I doubt anyone would want to do it.
Here's a graph of just Jia Tan's commits. To me it looks like there's a very clear 12 noon UTC start time most days:
https://mastodon.social/@rvstaveren@mastodon.online/112185625762235904
Wait, you're seeing a normal working day for them in +0300? When I looked at a graph of their commit times, there seemed to be a start time most days around noon UTC, which would be 9am in the *-0300* time zone.
Or 8am in the -0400 time zone, i.e. Eastern Daylight Time.
Another evidence:
Jigar Kumar (most probably, Jia Tan's fake account used to promote himself) wrote the letter at Wed, 27 Apr 2022 11:42:57 -0700 (time is in destination server’s time zone).
https://www.mail-archive.com/xz-devel@tukaani.org/msg00555.html
But when Jia Tan replied as he-self, his email program marked “ On Thu, 28 Apr 2022 at 02:42, Jigar Kumar <jigarkuma...@protonmail.com> wrote”. It gives 15 hours time zone difference to destination mail server, that means Jia Tan replied being in +0300 time zone.
https://www.mail-archive.com/xz-devel@tukaani.org/msg00556.html
15 hours time zone difference means that Jia was in the +0800 time zone (or at least had that timezone set on his computer): -7+15=8.
The difference between -0700 and +0300 is only 10 hours.
That is correct: https://savvytime.com/converter/mst-to-eritrea-keren-awst/jan-9-2024/11-45am
top is -0700, middle is +0300, bottom is +0800
(I included a random date in the URL, because otherwise this website tries to adjust for daylight savings and it messes up the calculation)
December, 25 in 2021-2023 was on Saturday, Sunday or Monday so it should not signal regular Christmas celebration, given that most commits were made on Tue-Fri.
I would also recommend to analyze the language of commit messages (interchanging 'addding' and 'added'-like messages) and long messages like this: https://github.com/bytecodealliance/wasmtime/pull/6839#issue-1847055439
For me it looks like language style of ex-USSR citizen (who am I and type similar messages), but probably someone could do a better analysis.
I have a feeling that somehow Cyprus and Russia might be connected in this case. You see, the regular Christmas is celebrated on Dec 25, although the Orthodox one is on Jan 7. After the Russia/Ukraine war started, a notable amount of high-tech companies relocated their employees from Russia to Cyprus for you know, various reasons. Sometimes these companies give an ability to celebrate important holidays from both of the countries in the new location. Obviously, I don't think the Greeks themselves could be the case but given the Cyprus/Russia relations this could explain the timezone changes.
Source: personal experience.
And someone mentioned Jan 13 being a notable day in Russia. Safe to say, it's not, if none of the commits have been posted at this day in any year, it's just a coincidence.
But just FYI, the first 8-10 days of January are bank holidays in Russia each year.