Based on the level of sophistication being alluded to, I'm personally inclined to assume this is a state actor, possible even some arm of the U.S. govt.
That would honestly be one of the most impactful bits of public service to fall out of any agency, regardless of country. Even if this is nefarious, a couple of intentionally clumsy follow-ups designed to draw further attention would be amazing to see. Think chaos monkey for software supply chain.
Can the community aspects of FOSS survive a Spy vs Spy environment though?
I don't know, but the answer is irrelevant to whether we are in one (we are).
I shudder to think what lurks in the not-open-source world. Closed source software/firmware/microcode, closed spec/design hardware; and artificial restriction of device owners from creating replacement code, or modifying code in consumer and capital goods containing universal machines as components; are significant national security threats and the practice of keeping design internals and intent secret in these products produces a cost on society.
I propose that products which don't adhere to GNU-like standards of openness (caveat*) get national sales taxed some punitive obscene percentage, like 100%. This way the government creates an artificial condition which forces companies to comply lest their market pricing power be absolutely hobbled. If say your company makes five $10MM industrial machines for MEGACORP customer and you're the only game in town, MEGACORP can pay the sales tax. Brian, Dale, and Joe Sixpack can't afford $2,500+ iPhones and Playstations, or $70,000 base model Honda Civics (yes this should apply to cars and especially medical devices/prosthetics), so when Company B comes around making a somewhat inferior competing fully open product then Company A making the proprietary version loses a huge chunk of market share.
(*But not the GNU-spirit distribution rights, so the OEM or vendor is still the only entity legally allowed to distribute [except for national emergency level patches]. Patent rights still apply.)
This is the most direct and sane way to address the coming waves of decade+ old lightbulbs and flatscreens. It has fewest "But if" gotcha exceptions with which to keep screwing you. Stop sticking up for your boss and think about the lack of access to your own devices, or better yet the implicit and nonconsensual perpetual access vendors maintain to universal machines which by all rights only you should have sovereign control over (like cooking your own microcode or tweaking Intel's [but not distributing your tweaks to Intel's])!
Overcomplicated design, sloppy opsec and Eastern European time zone altogether sound more like an attempt to snatch some bitcoins by a small group of people in places.
> This individual/organization needs to be on the top of every country's most wanted lists
Because if the "organization" is a U.S. agency, not much is going to happen here. Russia or China or North Korea might make some strongly worded statements, but nothing is going to happen.
It's also very possible that security researchers won't be able to find out, and government agencies will finger-point as a means of misdirection.
For example, a statement comes out in a month that this was North Korea. Was it really? Or are they just a convenient scapegoat so the NSA doesn't have to play defense on its lack of accountability again?
Highly likely, China has been estimated to have cyberhacking resources that are 10-50x what the USA has currently. It's not even close. The USA will have to up it's game soon or accept China being able to shut down large swathes of the grid and critical infrastructure at will
