What were the goals of many years of infiltration in open source projects?
Earlier this week, we already reported that a well-disguised backdoor introduced by a Chinese developer under the pseudonym Jia Tan was revealed in the XZ Utils data compression utility, which is used everywhere in many Linux distributions.
In this article, we will take a closer look at who this Jia Tan is in general, how exactly he managed to secretly introduce a backdoor, and what goals he pursued.
According to experts, the above-mentioned pseudonym hides not one hacker, but a whole group, presumably supported by the state. The attackers used a strategy of long-term infiltration into open source projects.
For years, hackers have been preparing for this attack in order to pull it off without anyone noticing. However, by some incredibly lucky coincidence, the backdoor was still discovered before it could cause significant damage.
Jia Tang started his activity on GitHub in November 2021, proposing changes to one of the open source products. In the following years, this developer was able to largely take control of the XZ Utils project, replacing the original maintainer, Lasse Collin. This was made possible by complaints from some users about the slow updating of the project, the reasons for which remain unclear.
Costin Rayu, a former leading researcher at Kaspersky Lab, suggests that Jia Tan is backed by a state-sponsored group.
Despite the hacker's Chinese pseudonym, Rayu believes that it is too early to make educated guesses about the culprit country, as the use of a Chinese pseudonym may be a deliberate attempt to obfuscate the investigation.
However, one thing, according to Rayu, is quite clear: this was one of the more sophisticated attacks than any previous attacks on the software supply chain that the researcher had seen.
The investigation revealed an exceptionally high level of operational security for Jia Tan, including the use of a VPN with a Singapore IP address and the absence of any other traces on the Internet. This approach emphasizes the seriousness of his intentions, as well as the assumption that this name hides a fictional personality. Since the discovery of the backdoor in XZ Utils, Jia Tan has disappeared without a trace, and his GitHub account has been blocked.
Jia Tang is reported to have made about 6,000 code changes to at least seven different projects between 2021 and February 2024. Determining all the consequences of these numerous changes seems almost impossible for experts, since in the case of XZ Utils, the malicious code was so heavily obfuscated that a happy accident helped to identify it.
Who knows how many other open products have been affected by the intervention of Jia Tan and other state-sponsored hackers who have set themselves a clear goal of compromising supply chains. For sure, there are at least several similar profiles all over GitHub, where insidious hackers operate under the guise of decent developers, but it is unlikely that specialists will be able to quickly identify all such profiles, if they succeed at all.
Just yesterday, we reported on a free online binary file scanner developed by Binarly, which is able to detect Linux files affected by an attack on the supply chain in XZ Utils.
Let's hope that security experts will be able to develop a similar automatic tool for scanning the source code of affected projects in order to identify other threats that probably exist, and thus protect both developers and end users.
Earlier this week, we already reported that a well-disguised backdoor introduced by a Chinese developer under the pseudonym Jia Tan was revealed in the XZ Utils data compression utility, which is used everywhere in many Linux distributions.
In this article, we will take a closer look at who this Jia Tan is in general, how exactly he managed to secretly introduce a backdoor, and what goals he pursued.
According to experts, the above-mentioned pseudonym hides not one hacker, but a whole group, presumably supported by the state. The attackers used a strategy of long-term infiltration into open source projects.
For years, hackers have been preparing for this attack in order to pull it off without anyone noticing. However, by some incredibly lucky coincidence, the backdoor was still discovered before it could cause significant damage.
Jia Tang started his activity on GitHub in November 2021, proposing changes to one of the open source products. In the following years, this developer was able to largely take control of the XZ Utils project, replacing the original maintainer, Lasse Collin. This was made possible by complaints from some users about the slow updating of the project, the reasons for which remain unclear.
Costin Rayu, a former leading researcher at Kaspersky Lab, suggests that Jia Tan is backed by a state-sponsored group.
Despite the hacker's Chinese pseudonym, Rayu believes that it is too early to make educated guesses about the culprit country, as the use of a Chinese pseudonym may be a deliberate attempt to obfuscate the investigation.
However, one thing, according to Rayu, is quite clear: this was one of the more sophisticated attacks than any previous attacks on the software supply chain that the researcher had seen.
The investigation revealed an exceptionally high level of operational security for Jia Tan, including the use of a VPN with a Singapore IP address and the absence of any other traces on the Internet. This approach emphasizes the seriousness of his intentions, as well as the assumption that this name hides a fictional personality. Since the discovery of the backdoor in XZ Utils, Jia Tan has disappeared without a trace, and his GitHub account has been blocked.
Jia Tang is reported to have made about 6,000 code changes to at least seven different projects between 2021 and February 2024. Determining all the consequences of these numerous changes seems almost impossible for experts, since in the case of XZ Utils, the malicious code was so heavily obfuscated that a happy accident helped to identify it.
Who knows how many other open products have been affected by the intervention of Jia Tan and other state-sponsored hackers who have set themselves a clear goal of compromising supply chains. For sure, there are at least several similar profiles all over GitHub, where insidious hackers operate under the guise of decent developers, but it is unlikely that specialists will be able to quickly identify all such profiles, if they succeed at all.
Just yesterday, we reported on a free online binary file scanner developed by Binarly, which is able to detect Linux files affected by an attack on the supply chain in XZ Utils.
Let's hope that security experts will be able to develop a similar automatic tool for scanning the source code of affected projects in order to identify other threats that probably exist, and thus protect both developers and end users.
