It could also be the opposite, someone trying to act like one of the Asian countries. The article lists the UTC times for the commits at 12-17, which would correspond to 8AM-1PM EST or 5-10AM PDT. That also could be fudged, or it could be a relatively new US spook working primarily in the mornings. Or if it's someone in Asia, that's 8PM-1AM, which is the perfect time for an evening hacker.

It's really not clear who's behind it.

I'm guessing an independent hacker in Asia because a state actor would probably just exploit existing bugs instead of adding new ones, and they certainly wouldn't do something as obvious as "safe_fprintf -> fprintf." I'm guessing this is all one individual trying to create business for themselves.

In other words, China, Malaysia, Korea, etc. – somewhere in Asia.

The Shadow Broker's leaks showed that state actors had whole tool suites to ensure that the product appeared like it was coming from a different location. Given that those tools have been leaked since 2016 and the concept is even older; relying on metadata like timezones, character set, etc... to make determinations about location is unreliable at best.

Timeframes of commits line up with afternoon/evening in Moscow.

I'm not really convinced. I haven't seen anything outside the capabilities of a talented individual, and such an exploit would be worth a lot of money, so the motivation is there.

It may not have a been a single person in the first place. “Jia” may have just been a front for multiple people or a team of people working together to facilitate the whole situation.

And there's the Open Collective Foundation closing (not Open Source Collective or Open Collective Inc), which means a bunch of projects need to deal with a bunch of paperwork.

I wish FOSS had a better community backing so a larger group of trusted devs could handle maintenance on multiple projects. Basically, any "production" Linux distribution would only ship software with stable maintenance. I'd join such a group, but as always, funding is an issue.