Thanks, i was wondering about this since day 0 and was too lazy to look it up. Yes it can be spoofed, but I imagine a good chunk of day-to-day is work is semi-interactive, which would make it preferable to have the attacker be in the same tz as the victims. Anyone know what tz Lasse was at? If not (eg he’s in the US), then I’d say Occam’s razor that the attacker is working those UTC 10-18 office hours without extra steps. Tz proves nothing and for a 3y low-intensity operation I’d just assume the attacker won’t introduce that much friction only to mislead. I’m sure there are much stronger signals in the investigation work that’s going on now. Unfortunately, given the hush-hush-by-default nature of our beloved intel agencies, we’ll probably never know.
I don't think Github activity logs can be spoofed - of course activity can consciously been done in a certain time zone, but that's different from spoofing timestamps in git commits. See https://news.ycombinator.com/edit?id=39905376 for the full histogram, it shows a rather narrow time distribution between 12-16 UTC - not really natural at all if you ask me.
