The Enigmatic Jia Tan: A Mastermind Behind XZ Utils Sabotage
According to Scott, the three years Jia Tan spent making code changes and sending polite emails were likely not a mere act of sabotage targeting multiple software projects. Instead, it appears to be a calculated effort to establish credibility before specifically targeting XZ Utils and potentially other projects in the future. “We were fortunate to discover his activities before he could proceed to the next stage,” Scott remarks. “His cover is now blown, and he’ll have to start from scratch.”
Unveiling the Techniques and Origins of the Backdoor
Sophisticated Code and Passive Backdoor
Costin Raiu, a former lead researcher at Kaspersky, points out that the malicious code added by Jia Tan to XZ Utils bears the hallmarks of a well-organized, state-sponsored hacker group, despite the persona’s appearance as an individual. The code, at first glance, resembles a genuine compression tool. “It’s crafted in an extremely deceptive manner,” Raiu notes. Additionally, the backdoor is “passive,” meaning it doesn’t actively reach out to a command-and-control server that could potentially expose the operator’s identity. Instead, it patiently waits for the operator to establish a connection to the target machine via SSH and authenticate using a private key generated with the robust ED448 cryptographic function.
Potential Culprits: Non-US Groups with a History of Supply Chain Attacks
While the backdoor’s meticulous design could be attributed to US hackers, Raiu suggests this is improbable, as the US typically refrains from sabotaging open-source projects. Moreover, if the National Security Agency were involved, they would likely employ a quantum-resistant cryptographic function, which ED448 is not. Raiu proposes that non-US groups with a track record of supply chain attacks, such as APT29 and Cozy Bear, could be responsible. He highlights the SolarWinds attack as an example of a remarkably coordinated and effective software supply chain attack that aligns more closely with the style of the XZ Utils backdoor compared to the less sophisticated attacks carried out by APT41 or Lazarus.
“It could very well be someone else,” says Aitel. “But I mean, if you’re looking for the most sophisticated supply chain attacks on the planet, that’s going to be our dear friends at the SVR.”
The Future of Jia Tan and Open Source Security
Security researchers concur that Jia Tan is unlikely to be a real individual or a lone actor. Instead, the persona appears to be the online manifestation of a novel tactic employed by a well-organized, government-backed group—a tactic that nearly succeeded. This implies that we should anticipate the return of Jia Tan under different guises: seemingly polite and enthusiastic contributors to open-source projects, concealing a government’s covert intentions within their code commits.
Updated 4/3/2024 at 12:30 pm ET to note the possibility of Israeli or Iranian involvement.
3 Comments
“Jia Tan” – strikes me as the name you’d whisper around a campfire, spooking every techie in sight.
‘Jia Tan’ sounds like the villain in a cyber thriller, doesn’t he?
“Jia Tan” sounds like the kind of person you’d love to hate in an online game, right?