[lithos]

That's actually pretty funny.

Article mostly talks about the validation that security companies got from recent leaks, when before it could only be based on update and domain registration times.

Kind of makes the US look silly with that oversight. Though even if they did fix themselves, it's not like you could change behavior on the old stuff.

[openasocket]

The issue is that when you have analysts combing over your attack there are so many different ways information can be leaked that it's impossible to try and elude everything. To properly conceal your identity to prevent fingerprinting you'd have to rewrite all your malware from scratch every time using completely different techniques, and choose targets largely at random so your motives don't become obvious. So APT groups have to prioritize on what information you absolutely don't want to get out and go from there, and look at the trade offs involved. To conceal working hours you'd have to either make everyone work random hours (which wouldn't be very popular) or perform certain activities like domain registration on a random time delay (which you may not always want, some things really need humans on keyboards to monitor). So it's a lot of effort to conceal an attribute that, while telling, isn't actually enough to implicate you.

[SomeStupidPoint]

It also might be on purpose -- if you have a signature, then unsigned things aren't you, right?

I suspect it was largely accidental, though. Heck, there's been private entities I know who have ended up with tells that pinned them to timezones.

[Luc]

Easy to do with e.g. postings to forums, including those about bitcoin...

[SomeStupidPoint]

I've generally given up trying to conceal anything above what city I'm in.

There are just too many information leaks that can be used to track people back to regions, and I honestly don't care if people know I'm one of millions of people.

(Whoops, there goes another -- there's only 53 US metros above 1mil people and 34 above 2mil.)

[strictnein]

They've found the same things about Russian and Chinese hackers as well. They work regular hours for their local time zone.