Or...falling back on less noticed contingency plans...

My pet theory is that this was just one project they have been running for years. They are likely doing many more at same time. Slowly inserting parts in various projects and getting their contributors inside the projects.

If it's an intelligence agency exploit, this is nearly certain. Getting agents hired as employees of foreign companies to provide intelligence is an ancient practice. Getting agents to be open source maintainers is a continuation of the same thing.

That seems like a safe bet. If you are planning a multi year operation, it would be silly to do it all under a single account. Best to minimize the blast radius if any single exploit gets discovered.

Some of this activity was actually documented through the alleged data breach of a hacking company [1].

[1]: https://en.wikipedia.org/wiki/Hacking_Team

Or, they must be strapped into a chair having teeth being pulled out by whoever directed them.

Why would they be? You don't get far with this kind of approach to valuable skilled human resources.

Likely a team of people at a three letter agency.

I wonder if they have OKRs too.

Everyone keeps saying this but it seems unlikely to me that they'd do this for a relatively short window of opportunity and leave their methods for all to see.

You are judging this by the outcome, as though it were pre-ordained, and also assuming that this is the only method this agency has.

It is much more likely that this backdoor would have gone unnoticed for months or years. The access this backdoor provides would be used only once per system, to install other APT (advanced persistent threats), probably layers of them. Use a typical software RAT or rootkit as the first layer. If that is discovered, fallback to the private keys you stole, or the social engineer the company directory you copied. If that fails, rely on the firmware rootkit that only runs if it's timer hasn't been reset in 6 months. Failing that, re-use this backdoor if it's still available.

It was found in a few weeks so why is it more likely it wouldn't have been noticed for months/years with more people running the backdoored version of the code?

We were lucky that the backdoor called attention to itself, because it impacted the performance off ssh and introduced valgrind warnings.

Doesn't that further suggest non-state actor(s)?

I've heard that it was only detected because the developer that found it was using different compiler flags than the default. Under default settings, the backdoor was stealthier.

My guess is that a ransomware group is behind this. Even if the backdoor had gone into production servers it would have been found fairly quickly if used at some scale.

>My guess is that a ransomware group is behind this.

My bet would be that they were after a crypto exchange(s) where they've already compromised some level of access and want to get deeper into the backend.

>Even if the backdoor had gone into production servers it would have been found fairly quickly if used at some scale.

I agree. Yes it's possible the backdoor could've gone unnoticed for months/years but I think the perp would've had to assume not.