The mystery of XZ backdoor mastermind “Jatan”

Scott believes that these three years of code changes and polite emails were most likely not used to break multiple software projects, but rather established a history of credibility for breaking XZ Utils in particular and possibly other projects in the future. prepare for. “He just never got to this point because we were lucky enough to find his stuff,” Scott said. So now everything is burned and he will have to go back to step one. “

Technical scale and time zone

Raiu, a former Kaspersky chief researcher, believes that although Jatan is an individual, their years of preparation are the hallmarks of a well-organized, state-sponsored hacking group. The same goes for XZ Utils Malcode Jatan’s technical logo. Tall added. Raiu noted that at first glance, the code does look like a compression tool. “It’s written in a very subversive way,” he said. Raiu said this is also a “passive” backdoor, so it doesn’t contact command and control servers that might help identify the backdoor operator. Instead, it waits for the operator to connect to the target computer via SSH and authenticate using a private key generated by a particularly strong encryption function called ED448.

Raiu noted that the backdoor’s elaboration could be the work of U.S. hackers, but he thinks this is unlikely because the U.S. typically doesn’t compromise open source projects. If it did, the NSA would likely use quantum-resistant encryption, and ED448 Not so. Raiu said this leaves non-U.S. organizations with a history of supply chain attacks, e.g. Chinese APT41, North Korea Lazarus Groupand Russian APT29.

At first glance, Jia Tan does look East Asian—or that’s intentional. The time zone submitted by Jia Tan is UTC+8: that is China’s time zone, only one hour away from North Korea’s time zone. However, Analysis by two researchers, Rhea Karty and Simon Henniger suggested that Jia Tan might simply change the computer’s time zone to UTC+8 before each commit. In fact, several submissions were made with the computer set to the Eastern European time zone, perhaps when Jatan forgot to change money.

“Another indication that they are not from China is the fact that they are working on an important Chinese holiday,” said Carty and Hennig, students from Dartmouth College and the Technical University of Munich respectively. Developer Boehs added that Some work starts at 9 o’clock. For the Eastern European time zone, morning ends at 5pm. “The time frame of the submission indicates this was not a project they completed outside of work,” Boehs said.

Dave Aitel, a former NSA hacker and founder of the cybersecurity company Immunity, believes that all these clues point to Russia, especially the Russian APT29 hacker organization.Eitel noted that APT29, which is widely believed to be working for Russia’s foreign intelligence service, known as the SVR, has a reputation for technical caution that few other hacking groups display. APT29 has also conducted Solar Wind Compromise, perhaps the most cleverly coordinated and effective software supply chain attack in history. In comparison, this operation is more in the style of the XZ Utils backdoor than the more primitive supply chain attacks of APT41 or Lazarus.

“It could very well be someone else,” Aitel said, “but I mean, if you’re looking for the most sophisticated malicious operation on the planet, it’s going to be our dear friends at SVR.”

Security researchers at least agree that Jatan is unlikely to be a real person, or even someone working alone. Instead, it’s clear that this role is the online embodiment of a new, well-organized organization’s new strategy — which means we should expect to see Jatan return under another name: the seemingly polite and enthusiastic contributor to open source projects who, in Secret government intentions hidden in code submissions.

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button