On Good Friday, a Microsoft engineer named Andres Freund noticed something peculiar. He was using a software tool called SSH for securely logging into remote computers on the internet, but the interactions with the distant machines were significantly slower than usual. So he did some digging and found malicious code embedded in a software package called XZ Utils that was running on his machine. This is a critical utility for compressing (and decompressing) data running on the Linux operating system, the OS that powers the vast majority of publicly accessible internet servers across the world. Which means that every such machine is running XZ Utils.
Freund’s digging revealed that the malicious code had arrived in his machine via two recent updates to XZ Utils, and he alerted the Open Source Security list to reveal that those updates were the result of someone intentionally planting a backdoor in the compression software. It was what is called a “supply-chain attack” (like the catastrophic SolarWinds one of 2020) – where malicious software is not directly injected into targeted machines, but distributed by infecting the regular software updates to which all computer users are wearily accustomed. If you want to get malware out there, infecting the supply chain is the smart way to do it.
So what was the malware discovered by Freund designed to do? Basically to break the authentication process that makes SSH secure and thereby create a backdoor that would enable an intruder remotely to gain unauthorised access to the entire system. Since SSH is a vital tool for the safe operation of a networked world, anything that undermines it is really bad news – which is why the cybersecurity world has been on high alert in the past week. Those running the different flavours of Linux that are in use across the world have been alerted to the dangers posed by the two rogue updates.
So stable door bolted, and hopefully no horses missing. None of this would have been true, though, if Freund hadn’t been so hawk-eyed and inquisitive. “The world owes Andres unlimited free beer,” observed one security expert. “He just saved everybody’s arse in his spare time.”
In some ways, the story of how the malware got into the updates is even more instructive. XZ Utils is open-source software, ie software with source code that anyone can inspect, modify and enhance. Much open source is written and maintained by small teams of programmers, and in many case by a single individual. In XZ Utils, that individual for years has been Lasse Collin, who has been with the project since its inception. Until recently he was the person who had been assembling and distributing the updates of the software.
But it seems that in recent years the grind of maintaining such a key piece of software had become more onerous, and he is also reported to have had health problems. (We don’t know for sure because he decided a while back to take a sabbatical from the online world.) But according to security expert Michał Zalewski, about two years ago a developer “with no prior online footprint” and calling himself Jia Tan appeared out of the blue and started making helpful contributions to the XZ Utils library. “Shortly after the arrival of ‘Jia’,” Zalewski continues, “several apparent sock puppet accounts showed up and started pressuring Lasse to pass the baton; it seems that he relented at some point in 2023.” And it seems that the two malware-infected updates were released by this Jia character.
So now the plot thickens. Cybersecurity experts are clearly taking the attack seriously. “The backdoor is very peculiar in how it is implemented, but it is really clever stuff and very stealthy,” a well-known South African security guru told the Economist. Even more interesting is the existence of a concerted online campaign to persuade Lasse Collin to pass control of XZ Utils to “Jia Tan”. This particular guru suspects that the SVR, the Russian foreign intelligence service behind the SolarWinds penetration of US government networks, might even have played a role in the attack.
Who knows? But two clear lessons can be drawn from what we know so far. The first is that we have constructed a whole new world on top of a technology that is intrinsically and fundamentally insecure. The second is that we are critically dependent on open-source software that is often maintained by volunteers who do it for love rather than money – and generally without support from either industry or government. We can’t go on like this, but we will. Those whom the Gods wish to destroy, they first make complacent.
What I’ve been reading
How to-talitarian
How could Trump actually turn the US into a fascist state? Robert Reich outlines Trump’s five-stage plan on his Substack.
The consequences of Conservative government
What have 14 years of Conservative rule done to Britain? You know the answer, but Sam Knight gives some useful detail in a New Yorker essay.
Our priceless planet
Why capitalism can’t solve the climate crisis – Prof Brett Christophers explains in Time magazine.