Remember that agencies like NSA, GCHQ etc will always use false flags in their code, even when it doesn’t have as high risk of exposure as a backdoor in public has.
Looking at the times of commits shouldn’t be given much value at all. A pretty pointless endeavour.
State actors are actually known for not doing that; after all, there's no need to hide when what you're doing is legal. They also tend to work 9-5 in their own timezones.
It might be legal but would (or at least should) be seen as an attack by all other countries using the software, even allies, and in a saner world wouldl receive a strong political response.
Looking at the times of commits shouldn’t be given much value at all. A pretty pointless endeavour.