The malware was the result of a years-long secret operation. In the next few weeks it would have spread to Internet servers worldwide.
Malware for web servers: A large proportion of internet servers would have been affected by the backdoor.
Benoit Tessier / Reuters
What the software developer Andre’s friend discovered a few days ago was designed never to be discovered. The backdoor in software that is used worldwide for remote maintenance of servers. The attackers could have used it to gain access to computers around the world. A disturbing idea.
In the next few weeks, the backdoor should be distributed to all Linux computers worldwide with the latest update. It was pure coincidence that Andre’s friend had discovered her shortly beforehand. “We were very, very lucky,” writes encryption specialist Bruce Schneier in his blog.
The story sounds incredible. This has to do with the attackers’ sophisticated approach. With the accidental discovery. And with the functioning of the community of developers who work for free to develop open source software on which the Internet is based. But first things first.
At the center of the story are the “xz Utils”, a collection of programs and code libraries that are used on Linux and many other Unix systems to compress data. This software is open source – meaning its program code is freely available – and is further developed by volunteers. Basically anyone can take part. As the person responsible, Lasse Collin leads the project – alone.
In spring 2022, a person identifying himself as Jia Tan contacted “xz Utils” via the mailing list with a contribution to the software. Soon after, other people who had not been active before joined the discussions. Soon the demand arises that Collin should allow another person to join the “xz Utils” project.
Jia Tan will start working on the project in the next few weeks. He will also be given responsibility by the beginning of 2023 at the latest and will be listed as the first contact person. Jia Tan then uses his powers to disable a function that checks open source software for vulnerabilities. This clears the way to smuggle in the back door.
Finally, in February of this year, Jia Tan added two test files containing the code for the backdoor. As a result, he and other people advocate for the major Linux distributions to include the manipulated version in the next update. This allows the secret backdoor to spread across servers worldwide.
The gap scares the IT security people at Easter
At the end of March, the compromised version of “xz Utils” was already included in the pre-release versions of some Linux distributions. That was the moment when software developer Andres Freund noticed something: strange behavior in the sshd program, which enables encrypted remote access to a computer.
Freund wanted to get to the bottom of the irregularities – and discovered the hidden back door. He made his discovery public on Good Friday, alarming IT specialists and security companies around the world. The German cybersecurity authority BSI, for example, declared the orange threat situation on Saturday, which stands for a business-critical threat and massive disruption to normal operations.
Linux and Unix operating systems are unfamiliar to the general public. This system is rarely found on computers and laptops in the office or at home. However, things are completely different when it comes to internet servers. A large proportion of these computers run Linux. According to the analysis platform W3Techs, 85 percent of web servers run on Unix. The attackers would probably have gained access to most of them.
Who is behind the action is currently completely unclear. However, the complex procedure and technical skill show that this is probably a professional actor. Freund’s discovery probably exposed an intelligence service operation. Such a person has the resources and patience for such a long-term campaign.
Another point in favor of an intelligence operation is that the back door could only be accessed with a specific key. This mechanism ensures that, for example, cyber criminals or other states cannot spy on or endanger the compromised systems.
The technical implementation of the back door was complex. The installation took place in several steps in which the malware was first prepared, compiled and then installed. This meant that the malicious program code could not be identified immediately.
Complex “social engineering” speaks for state action
Even more impressive than the technical implementation is the human factor in the action. Crucial to its success was so-called “social engineering,” which refers to deceiving and manipulating other people with the aim of getting them to take desired actions.
In the case of “xz Utils”, the actors not only created the obviously wrong person Jia Tan. They also used alleged third parties to put pressure on the person responsible for the project. This is “the craziest attack” he has ever dealt with, writes Italian IT security researcher Emanuele De Lucia. The complex use of “social engineering” corresponds to the approach of state groups. “A really impressive performance from the attackers.”
The attack also shows the unsatisfactory situation in the development of open source software. Although such open software is used by many companies – including large tech companies – the further development and improvement of the programs often depends on individual people.
The fact that the developers often work voluntarily or at least are not adequately compensated may have facilitated the attack. However, secret services also find ways and means for similar attacks on commercial software providers. In the well-known case of Solarwinds, a Russian service managed to infect around 18,000 networks using network management software.
The highly professional attack on “xz Utils” shows that certain intelligence services go to great lengths to gain long-term access to IT systems. Such operations are carried out not only by Russia or China, but also by the USA and Great Britain.
And the services are likely to be successful with it. The fact that the backdoor was only discovered by chance also means that in many cases such operations will probably never be discovered – or at least only after a long time.