Table of Contents
Recently something happened in the tech world that should have made world headlines. But it didn’t.
On March 29, Microsoft software developer Andres Freund was trying to optimize the performance of his computer when he noticed that one program was using an unexpected amount of processing power. Freund dove in to troubleshoot and “got suspicious.”
Eventually, Freund found the source of the problem, which he subsequently posted to a security mailing list: He had discovered a backdoor in XZ Utils, a data compression utility used by a wide array of various Linux-based computer applications – a constellation of open-source software that, while often not consumer-facing, undergirds key computing and internet functions like secure communications between machines.
By inadvertently spotting the backdoor, which was buried deep in the code in binary test files, Freund averted a large-scale security catastrophe. Any machine running an operating system that included the backdoored utility and met the specifications laid out in the malicious code would have been vulnerable to compromise, allowing an attacker to potentially take control of the system.
[…] The malicious code in XZ Utils was introduced by a user calling themself Jia Tan, employing the handle JiaT75, according to Ars Technica and Wired. Tan had been a contributor to the XZ project since at least late 2021 and built trust with the community of developers working on it. Eventually, though the exact timeline is unclear, Tan ascended to being co-maintainer of the project, alongside the founder, Lasse Collin, allowing Tan to add code without needing the contributions to be approved. (Neither Tan nor Collin responded to requests for comment.)
The XZ backdoor betrays a sophisticated, meticulous operation. First, whoever led the attack identified a piece of software that would be embedded in a vast array of Linux operating systems. The development of this widely used technical utility was understaffed, with a single, core maintainer, Collin, who later conceded he was unable to maintain XZ, providing the opportunity for another developer to step in. Then, after cultivating Collin’s trust over a period of years, Tan injected a backdoor into the utility. All these moves were underlaid by a technical proficiency that ushered the creation and embedding of the actual backdoor code – a code sophisticated enough that analysis of its precise functionality and capability is still ongoing.
[…] On one email list, Collin faced a raft of complaints. A group of users, relatively new to the project, had protested that Collin was falling behind and not making updates to the software quickly enough. He should, some of these users said, hand over control of the project; some explicitly called for the addition of another maintainer. Conceding that he could no longer devote enough attention to the project, Collin made Tan a co-maintainer.
The users involved in the complaints seemed to materialize from nowhere – posting their messages from what appear to be recently created Proton Mail accounts, then disappearing. Their entire online presence is related to these brief interactions on the mailing list dedicated to XZ; their only recorded interest is in quickly ushering along updates to the software.
All part of a coordinated attack.
Several other figures on the email list participated in efforts – appearing to be diffuse but coinciding in their aims and timing – to install the new co-maintainer, sometimes particularly pushing for Tan.
Later, on a listserv dedicated to Debian, one of the more popular of the Linux family of operating systems, another group of users advocated for the backdoored version of XZ Utils to be included in the operating system’s distribution.
[…] After Collin eventually made Tan a co-maintainer, there was a subsequent push to get XZ Utils – which by now had the backdoor – distributed widely. After first showing up on the XZ GitHub repository in June 2023, another figure calling themselves Hans Jansen went on this March to push for the new version of XZ to be included in Debian Linux. (Jansen did not respond to a request for comment.)
An employee at Red Hat, a software firm owned by IBM, which sponsors and helps maintain Fedora, another popular Linux operating system, described Tan trying to convince him to help add the compromised XZ Utils to Fedora.
These popular Linux operating systems account for millions of computer users – meaning that huge numbers of users would have been open to compromise if Freund, the developer, had not discovered the backdoor.
This was not something done by some hacker group acting on its own. It was a military grade attack by the Chinese government, planned over a long time and involving many actors. There is no way a hacker group would take so much time and effort.
If you think I’m being a bit of a conspiracy theorist, consider this: the US Army is the single largest installed base for Red Hat Linux and the US Navy nuclear submarine fleet runs on Linux, including their sonar systems. Also consider all the sensitive information that would have been made available to the Chinese Government.
Make no mistake. China is at war with the West.
What will it take for us to wake up?
