As some of the Tweet replies mentioned, they shipped releases that contained the backdoor, and committed other questionable changes at the "usual" times. For sure we're almost certainly not dealing with a compromised workstation, so I don't think that would explain the different times for the worst offending changes.
Maybe he has some technical experts/handlers/managers that had to oversee when they introduced the actual malicious changes, and thus this reflects when he got the go-ahead signal from these other people (and thus that reflects their working hours?)
Or maybe they were just travelling at that time? (maybe travelling to visit the aforementioned handlers? Or travel to visit family... even criminals have a mom and dad)
Also, keep in mind that my Clickhouse query includes all of the Github interactions (for example, timestamp of issue comments)... and unlike a Git commit timestamp, it's hard to fake those (because you'd need to schedule the posting of such comments, probably via the API. Not impossible, but easier to think that JiaT75 just used the Gitub UI to write comments), the Tweet mentions just "commit history"
Usually the simpler explanation has less chance of being wrong... thinking of some possibilities:
- Chinese/Taiwanese state actor, who employs people 9-5 (but somehow, their guy worked 20.00 - 02.00 local time)
- Chinese/Taiwanese rogue group/lone wolf... moonlighting on this exploit after their day job (given that to interact with Lasse they'd be forced to work late, this is not outside of the realm of possibilities)
- Non-Chinese state actor, employing someone 9-5 (consistent with most of the Github interactions), wanting to pin responsibility on China/Taiwan (+0800 timezone for commits), which for some unexplained reason pushed the worst offending changes at really weird times.
- Chinese/Taiwanese state actor, that wanted to pin the blame on western state actors (by making all of the changes at times compatible with someone working in Europe), and somehow they slipped up when pushing the worst offending changes.
- Chinese/Taiwanese state actor, employing someone in Europe (if they need to get approval of changes/gain the trust of the previous maintainer Lasse, it might make sense to have better/more timezone overlap)... which for some weird (yet "innocent") reason, kept the device that they worked on, configured with a +0800 timezone
- Non-Chinese state actor, pretending to be a Chinese entity that wanted to pin the blame on a western entity and slip up by making the worst offending changes at 3am (i.e. it was not a slip up, but it's part of the misdirection efforts.)
Some of these hypotheses are a bit farfetched, but reality is stranger than fiction
