According to a report by Cyberscoop, open-source Linux users narrowly avoided a catastrophe. A Microsoft developer found one of the most sophisticated supply chain attacks while debugging a network protocol discrepancy.
Here’s what happened: Jia Tan, a developer, started adding a backdoor to software known as XZ Utils, which is present on most, if not all, versions of Linux. Had XZ Utils been added to a stable version of Linux, he could have broken into Linux servers and run arbitrary code using the utility.
Tan’s act seems to be an espionage operation by a sophisticated intelligence agency. So far, it’s unknown who is responsible.
Had the code not been discovered and stopped, it could have had a devastating impact on a significant portion of the world’s servers.
Jia Tan methodically sent fixes to the mailing list for the data compression library. Two others, calling themselves “Jigar Kumar” and “Dennis Ens,” began to attack the project’s maintainer, Lasse Collin, criticizing him for his lack of updates.
Tan’s goal was to get access to the project as a new maintainer. Collin, suffering from personal and mental health, eventually made Tan a maintainer on the project almost a year after Tan sent the first fix. Bit by bit, Tan began adding malicious code until he completely integrated the backdoor code into XZ Utils.
Then, Tan started to pressure different Linux distributions to add the malicious version of XZ Utils to their operating systems. Tan rushed the supply chain attack in the final months; another program due for publication would implement a change in the code, rendering the backdoor useless.
A curious software engineer named Andres Freund at Microsoft discovered the backdoor. Freund claimed that uncovering the backdoor required “a lot of coincidences.”
According to Cyberscoop, analysts graphed GitHub commits to timelines within a few days, malware researchers disassembled the code, IRC chats were logged, and researchers analyzed what had happened.
Tan appears to have contributed to other open-source projects, such as the widely used compression library libarchive, which made its way into at least 180 instances of the firmware of operational technology, Internet of Things devices, and network devices. It is unknown whether his code contained malicious programming.
Security experts believe that a nation-state instigated and supported this attack due to its length and intricacy.
A timeline of Tan’s commits to GitHub shows what appears to be someone based in China, but research into the commits indicates this is a misdirection and that Tan may be in eastern Europe.
