This is either a state actor operating under a fake name or it deserves to be one.
The perpetrator, “Jia Tan,” let’s assume has last name 陈. In Mandarin, this is pronounced as Chen, in Hong Kong as Chan, while in Minnan this is pronounced as Tan. Minnan is prevalent in Taiwan, Singapore, Malaysia, Indonesia, and other southeast Asian countries as well as in parts of Fujian, China (where it originated).
A common feature of early Chinese expat communities was that they were overwhelmingly from Guangdong (think Gold Rush era). However, more recently, there’s been a massive wave of Taiwan and Hong Kong emigration… The relevant takeaway here is that Tan is much more common of a pronunciation in expat communities than it is in China.
Of course, they could also have the last name 谭, but that’s a good bit rarer. 陈 is the most common Chinese surname overseas and the 5th most common in China, while 谭 is something like 54th most common in China. Odds are high that, if this was a persona constructed by a state actor, it did not come from China but from an overseas actor for which Tan is a more common romanization.
What makes you think thats actually their name?
This makes sense, but the implementation itself was also kind of sloppy. I think it was bound to be found sooner or later, which seems oddly unlikely for an APT that would spend more time and effort hiding it.
I wouldn’t expect China, NSA, or any big name APT to be behind this.
I wonder if it was really a state actor or actually just a random blackhat group trying to gg ez a backdoor.
Way too big of a target for a black hat group imo. It was only sloppy because they got caught.
The length of this project points to external funding.
Or someone who wanted people to point fingers at someone specific.