Thwarted supply-chain hack sets off alarm bells across DC

John Sakellariadis
·3 min read

A foiled attempt to subvert a widely used software utility is raising critical questions across D.C. about the vulnerability of the open-source supply chain — and to what extent foreign nation-states are actively using cloak-and-dagger human spycraft to exploit it.

What happened: Andres Freund, a software engineer at Microsoft, discovered fragments of malicious code expertly hidden inside two versions of an immensely popular open-source data compression tool Friday March 29, which had by then been incorporated into two versions of the widely used Linux operating system.

That kicked off a mad scramble among security pros and government agencies to prevent the compromised code — known as Xz — from being used to launch spying campaigns or cyberattacks against affected Linux users. The U.S. government’s lead civilian cybersecurity agency, CISA, issued swift guidance on how to address the issue Friday.

The impact: Those timely efforts — and the targeted nature of the exploit itself — appear to have prevented most of the fallout of the hack. Still, the caper has sent shivers through the cybersecurity world as much for what it did as how it was carried out.

A GitHub user identified as Jia Tan — who may not be a real or an individual person — spent roughly two years building their bona fides in the developer community before exploiting that trust to take over control of Xz. In marking that trajectory, Jia Tan also appears to have gotten a reputational boost from at least five other GitHub users who aggressively vouched for their trustworthiness, according to Marc Rogers, a white hat researcher who has been investigating the hack.

That type of human-enabled digital spycraft is nearly unprecedented in open source, argued Anjana Rajan, the assistant national cyber director at the White House Office of the National Cyber Director. “This is like an insider threat in the open source ecosystem, which we haven't really seen before," she said.

The here and now: The FBI and the NSA did not respond to a request for comment about whether they are investigating potential nation-state involvement in the caper. But former government cyber experts said they have no doubt they are.

“I’m 100% certain there are people in the U.S. government who lost their weekends over this and are working diligently to get to the bottom of it,” said Jake Williams, a former NSA hacker. Other researchers said state involvement is likely given how skilled the Xz exploit code was.

Dave Aitel, another former NSA hacker, likened the incident to some of the biggest Russian hacks in recent memory, including the 2020 Kremlin espionage campaign into government IT contractor SolarWinds. “I mean this is huge,” he said.

The long-term concern: The incident is pushing cyber pros to re-examine the security writ large of open-source code, software anyone can examine, use, edit or distribute. Though it is a critical engine of the modern digital economy, open-source software like Xz is often maintained by as few as one volunteer. And there are even some signs that Jia Tan may have targeted Xz because its former developer had complained about being overworked.

“I think there's a lot of conversations that we need to have about what we do next” to protect open source code, said Rajan, White House official.

“There are thousands of code projects out there that are being maintained by people in a thankless way because these are unexciting critical dependencies of things on the internet,” said Rogers, the white hat hacker, and this attack “is preying on that fact.”