The backdoor in Linux – a sophisticated intelligence operation?

In the middle of Easter week, while the rest of Norway’s population was on Easter Mountain, a sophisticated supply chain attack was launched against an open source code library used by a number of different Linux distributions. The backdoor in xz/liblzma was uncovered by chance by Andres Freund, who became aware of abnormally high processor usage. After an update of his machine, which used the Linux distribution Debian, it used an abnormal amount of CPU power for logging in via SSH. This aroused suspicion in the engineer, who carried out further investigations which led to the discovery of the back door in the xz library.

Several security analysts and zealots in the international information security community have been digging for details since the revelation, to find out how the backdoor was placed into the xz library and who apparently carried out the sophisticated supply chain attack.

The goal

The incident can be considered a supply chain attack as the threat actor compromised an open-source code library, which in turn is used by a number of popular Linux distributions, including RedHat, Ubuntu, Fedora, Debian, and more. The target of the threat actor does not appear to have been the xz library itself, but the Linux distributions that used the library in question. This gives the threat actor a hidden attack vector towards the users of the relevant systems, worldwide, such as companies and institutions that manage sensitive information.

Like the open-source java library Log4j, which set the entire internet on fire just over two years ago, xz/liblzma was also maintained by a single person, unpaid, in his spare time. Then it could be good to use the Easter holidays to reflect a little on how your multimillion-dollar company can help support open source developers who create products that you depend on.

Advanced threat actors?

But unlike Log4j, which was an accidental vulnerability in code, there are several indications here that advanced threat actors have deliberately and purposefully planted a technically sophisticated backdoor in the xz library. Recognized experts in cyber security have set similarities with the use of methods used by intelligence services. Because the operation, in addition to being technically advanced, also used cunning methods to manipulate the person who maintained the code. In this way, the threat actor was in a position to plant the sophisticated back door, which is similar to a human-based intelligence operation, so-called HUMINT (human intelligence).

Possible to follow

The compromised code library was until recently available for download on Github. It has therefore been possible to trace parts of the threat actor’s activity and identify the time when the backdoor was placed in the code.

Presumably there has been a long reconnaissance and intelligence job up front to identify the target of the operation, namely the xz library and the person who maintained it, Lasse Collin.

So far, it has been revealed that the account JiaT75 (Jia Tan), the user who pushed the backdoor into the xz library in question, was created on Github in 2021. After a little while, two other user accounts, under the pseudonyms Jigar Kumar and Dennis Ens, complained to Lasse Collin on the progress on updates to the code library. Due to limited capacity to maintain and improve the code, Lasse Collin gradually handed over the tasks to Jia Tan, who from 2023 took over the main responsibility for the updates. The threat actor was thus in a unique position to place a hidden and technically advanced backdoor into an open source library used by a number of popular Linux versions.

Places own on the inside

The supply chain attack is particularly interesting because it illustrates that advanced threat actors, possibly linked here to a foreign state, are continuously trying to get into a position to insert backdoors into open source code, available on Github, which is used by many central businesses around the world – also here in Norway. They use a wide range of both technical and human-based methods, such as manipulation, with the intention of placing one of their own, in this case Jia Tan, on the “inside”. That way, they could introduce a technically sophisticated backdoor into a widely used code library.

They can do this because we place (a little too much) trust in the code on which we build our systems, not being manipulated by malicious actors. The backdoor that Jia Tan had put into the xz car biotheque should make us reconsider that assumption. Time for us to introduce a Zero-Trust model, here too?