A silent cyber attack nearly compromised computers around the world

In 2020, XKCD , a popular online comic strip, published a cartoon depicting a wobbly arrangement of modules with the label “a fully modern digital infrastructure”. Standing precariously below, holding everything up, was a thin brick that read: “A project ungratefully maintained by some random person in Nebraska since 2003.” This parable quickly became a classic among the technically minded because it illustrates a hard truth: The software at the heart of the Internet is maintained not by giant corporations or vast bureaucracies, but by a handful of curious volunteers working in the dark. A cyber security scare in recent days has shown how the outcome can be close to catastrophic.

On March 29 Andrew FreundEngineer of Microsoft, Published a short police story. In recent weeks, I've noticed that SSH (a system for securely logging into another device over the Internet) is running 500 milliseconds slower than expected. Closer inspection revealed malicious code deeply embedded in XZ Utils, designed to compress data used in the Linux operating system that runs on every publicly accessible server on the Internet. Ultimately, those servers support the Internet, including major financial and government services. The malware would have acted as a “master key”. Allows people to steal encrypted data or attack other malware.

How it got there is the most interesting part of the story. XZ Utils is open source software, which means its code is public and anyone can examine or modify it. In 2022, Lasse Collin, the developer who supported him, found his “unpaid entertainment program” was becoming too burdensome amid chronic mental health issues. A developer named Jia Tan, who had created the account the previous year, volunteered to help. Over two years they contributed hundreds of useful code, building trust. In February they hijacked the malware.

He says the significance of the attack is “enormous”. The Crook, the pseudonym of an independent security researcher widely read among cybersecurity experts. “The backdoor is very strange in the way it's implemented, but it's also very clever and very stealthy”; Perhaps too stealthy, as some steps taken in the code to hide its true purpose may have slowed it down and Mr. Freund's alarm may have been set. Jia Dan's patient attitude, supported by many accounts, insisted on passing the baton. A sophisticated human intelligence operation by a government agency, Recommends The Crook.

He suspects the SVR, Russia's foreign intelligence service, which compromised SolarWinds' Orion network management software in 2019-20 and gained broad access to US government networks. Analysis was carried out by Rhea Karti And Simon Henniger The mysterious Jia Dan tried to spoof their time zone, but they were two or three hours ahead of Greenwich Mean Time, suggesting they were probably in Eastern Europe or Western Russia. However, at present, the evidence is too weak to identify the culprit.

The attack was perhaps the most ambitious “supply chain” attack in recent memory (exploiting a piece of back-end software or hardware, not a specific computer or device). It is also a clear example of the weaknesses of the Internet and the collective code it is based on. For proponents of open source software, Freund's eagle eyes demonstrate his premise: code is open, can be inspected by anyone, and bugs or intentional backdoors will eventually be discovered through collaborative inspection.

Doubts are not sure. Some debugging and code protection tools found inconsistencies “that no one else was concerned about,” he writes. Kevin Beaumont, another cybersecurity expert. Software engineers are still investigating the backdoor's inner workings and trying to understand its purpose and design. “The world owes Andres free and unlimited beer,” concludes Beaumont. “He saved everyone's legs in his spare time.”

The attack was detected and stopped before it could cause widespread damage. There's no way to know whether Jia Tan or the team behind the man explored other key pieces of Internet software under other aliases. But security researchers worry that the foundation of the Internet is vulnerable to similar campaigns. “The bottom line is that we've added untold billions of dollars in code created by amateurs,” he says. Michael Zalewski, an expert. Other backdoors may sneak in undetected.

© 2024, The Economist Newspaper Limited. All rights reserved.