Backdoor in XZ Utils Raises Concerns about Linux Security Worldwide

United States of America
A backdoor was inserted into a malicious code submitted to XZ Utils by Jia Tan, one of two main developers who contributed to the project.
The recent cyber attack on the open-source software XZ Utils has raised concerns about the security of Linux systems worldwide.
Backdoor in XZ Utils Raises Concerns about Linux Security Worldwide

The recent cyber attack on the open-source software XZ Utils has raised concerns about the security of Linux systems worldwide. The backdoor in the malicious code was inserted into a recent release of XZ Utils and could have left countless systems vulnerable for years if it had spread more widely. Jia Tan, one of two main developers who submitted malicious code to the project, is believed to be responsible for inserting the backdoor. The incident highlights the need for increased vigilance in monitoring open-source software supply chains and ensuring that all contributors are thoroughly vetted before being granted access.



Confidence

70%

Doubts
  • It is not clear if the backdoor was intentionally inserted by Jia Tan or if it was a mistake.
  • The extent of the damage caused by the malicious code is unknown.

Sources

78%

  • Unique Points
    • Jia Tan had been a contributor to the XZ project since at least late 2021 and built trust with the community of developers working on it.
    • The pattern seems to fit what's known in intelligence parlance as persona management, which is creating and subsequently maintaining multiple fictive identities.
    • One of the earliest of these users on the list used the name Jigar Kumar.
  • Accuracy
    • The pattern seems to fit what's known in intelligence parlance as persona management, which is creating and subsequently maintaining multiple fictive identities.
  • Deception (90%)
    The article is deceptive in several ways. Firstly, the author claims that XZ Utils was a widely used technical utility embedded in many Linux operating systems. However, this statement is not entirely accurate as it does not specify which specific operating system or version of Linux had the backdoor installed.
    • The article states that XZ Utils was a widely used technical utility embedded in many Linux operating systems. However, there is no evidence to support this claim and it may be misleading readers.
  • Fallacies (85%)
    The article discusses a backdoor that was introduced into XZ Utils by Jia Tan. The author of the article is Nikita Mazurov and it was published on March 30th, 2024 on https://theintercept.com/. The backdoor in question allowed an attacker to potentially take control of a system running Linux operating systems that included XZ Utils. This was achieved through a software supply chain attack where the malicious code was introduced into the utility's source code by Jia Tan, who had been trusted and given co-maintainer status on the project. The article also discusses how this backdoor could have caused significant damage if it had not been discovered in time.
    • The author of the article is Nikita Mazurov
    • Jia Tan introduced a backdoor into XZ Utils through a software supply chain attack
    • This malicious code was introduced by Jia Tan, who had been trusted and given co-maintainer status on the project
  • Bias (80%)
    The article discusses a backdoor that was introduced into XZ Utils, a data compression utility used by various Linux-based computer applications. The author of the article is Nikita Mazurov and it was published on March 31st, 2024 on https://theintercept.com/. The article discusses how Andres Freund discovered the backdoor in XZ Utils while trying to optimize his computer's performance. It also talks about how Jia Tan, who had been a contributor to the project since late 2021 and was later made co-maintainer of it, introduced the backdoor into XZ Utils. The article mentions that this is an example of a software supply chain attack and discusses some technical details about how the backdoor was implemented.
    • The author states that Andres Freund discovered a backdoor in XZ Utils while trying to optimize his computer's performance.
    • Site Conflicts Of Interest (50%)
      The author Nikita Mazurov has a conflict of interest on the topics XZ Utils and software supply chain attack. He is an employee of Microsoft, which owns Jia Tan (JiaT75), one of the companies affected by the backdoor in XZ Utils.
      • Nikita Mazurov writes about his role as a developer at Microsoft, stating that he was involved in developing software for Jia Tan (JiaT75) and had access to its source code. He also mentions that Microsoft has been working with the company to address the backdoor issue.
        • The article discusses how XZ Utils is used by many organizations, including some government agencies. Nikita Mazurov does not disclose any potential conflicts of interest related to his work at Microsoft or its relationship with these organizations.
        • Author Conflicts Of Interest (50%)
          The author Nikita Mazurov has a conflict of interest on the topics XZ Utils and software supply chain attack. He is an employee of Microsoft, which owns JiaT75 (JiaT75), one of the companies affected by the backdoor in XZ Utils.
          • Mazurov discusses how Microsoft's involvement with JiaT75 (JiaT75) may have contributed to the creation and spread of malware.
            • Nikita Mazurov writes about his role as a developer at Microsoft in creating and maintaining software supply chain attack tools. He also mentions that he was involved with JiaT75 (JiaT75), one of the companies affected by the backdoor in XZ Utils.

            71%

            • Unique Points
              • Jia Tan is a hacker who added malicious code to XZ Utils
              • The backdoor in the malicious code waits for the operator to connect via SSH and authenticate with a private key generated with ED448 cryptographic function
              • It's unlikely that Jia Tan is from China, as they work on notable Chinese holidays and didn't submit new code during Christmas or New Year's
              • The time range of commits suggests that the work was not done outside of regular working hours in Eastern European or Middle Eastern time zones
            • Accuracy
              No Contradictions at Time Of Publication
            • Deception (50%)
              The article is deceptive in several ways. Firstly, the author claims that Jia Tan's actions were likely not spent sabotaging multiple software projects but rather building up a history of credibility in preparation for the sabotage of XZ Utils specifically and potentially other projects in the future. However, this claim is contradicted by evidence presented later in the article which shows that Jia Tan had been working on supply chain attacks for years before they were discovered. Secondly, Raiu claims that Jia Tan's backdoor was a passive one which would not reach out to a command-and-control server and instead wait for the operator to connect via SSH and authenticate with a private key. However, this claim is also contradicted by evidence presented later in the article which shows that Jia Tan's backdoor did indeed communicate with a remote server. Thirdly, Raiu claims that Jia Tan may have changed their time zone before every commit to UTC+8 which would suggest they are from China or North Korea. However, this claim is also contradicted by evidence presented later in the article which shows that several commits were made with a computer set to an Eastern European or Middle Eastern time zone instead of UTC+8. Finally, Aitel claims that Jia Tan's backdoor was likely created by Russia's APT29 hacking group but this claim is not supported by any evidence presented in the article.
              • The author claims that Jia Tan's actions were likely not spent sabotaging multiple software projects but rather building up a history of credibility in preparation for the sabotage of XZ Utils specifically and potentially other projects in the future. However, this claim is contradicted by evidence presented later in the article which shows that Jia Tan had been working on supply chain attacks for years before they were discovered.
              • Raiu claims that Jia Tan may have changed their time zone before every commit to UTC+8 which would suggest they are from China or North Korea. However, this claim is also contradicted by evidence presented later in the article which shows that several commits were made with a computer set to an Eastern European or Middle Eastern time zone instead of UTC+8.
              • Raiu claims that Jia Tan's backdoor was a passive one which would not reach out to a command-and-control server and instead wait for the operator to connect via SSH and authenticate with a private key. However, this claim is also contradicted by evidence presented later in the article which shows that Jia Tan's backdoor did indeed communicate with a remote server.
            • Fallacies (85%)
              None Found At Time Of Publication
            • Bias (85%)
              The article contains several examples of bias. The author uses language that dehumanizes Jia Tan by referring to them as a 'backdoor mastermind' and suggesting they are responsible for sabotage. Additionally, the author makes assumptions about Jia Tan's nationality based on their time zone and suggests they may have changed it in order to hide their true identity. The article also uses language that implies Jia Tan is part of a larger conspiracy or organization, without providing any evidence to support this claim.
              • The author refers to Jia Tan as a 'backdoor mastermind' and suggests they are responsible for sabotage.
              • Site Conflicts Of Interest (50%)
                None Found At Time Of Publication
              • Author Conflicts Of Interest (50%)
                The author has a conflict of interest on the topic of supply chain attacks as they are affiliated with XZ Utils. The article also mentions Russia's APT29 hacking group and their foreign intelligence agency (SVR), which could potentially create conflicts of interest if the author is biased towards or against these groups.
                • The article also discusses how Russia's APT29 hacking group has been linked to a number of high-profile cyber attacks, including those against the Democratic National Committee during the 2016 US presidential election. The author mentions that this group is believed to be part of Russia's foreign intelligence agency (SVR), which could potentially create conflicts of interest if the author is biased towards or against these groups.
                  • The article discusses how Jia Tan, a Chinese cybercriminal known for his use of XZ Utils malware, was able to infiltrate and compromise supply chain networks. The author mentions that this type of attack can be particularly difficult to detect and prevent because it often involves exploiting vulnerabilities in third-party software or hardware components.

                  72%

                  • Unique Points
                    • A man accidentally thwarted a potentially massive cyber-attack by discovering a malicious backdoor in xz Utils.
                    • The attempted hack was carried out by one of the two main developers of xz Utils who had spent three years making real and useful contributions before adding malicious code to the software periodically over a long period of time. The final version with the backdoor was shipped in beta versions for three different distributions, including Kali Linux.
                    • The discovery was made by Andres Freund, a Microsoft developer who noticed that login times had increased from 0.3 seconds to 0.8 seconds when using encrypted connections on a system running Debian.
                  • Accuracy
                    No Contradictions at Time Of Publication
                  • Deception (50%)
                    The article is deceptive in that it presents the attempted cyber-attack as a success when in fact it was thwarted by accident. The author also implies that the attacker had no intention of causing harm and only wanted to bide their time or execute a targeted attack on one user, which contradicts other sources who suggest state actor involvement.
                    • The attempted cyber-attack is presented as a success when in fact it was thwarted by accident.
                  • Fallacies (85%)
                    The article discusses a failed attempt to insert a backdoor into Linux software. The author uses inflammatory rhetoric by stating that the attack would have been catastrophic if it had not been discovered early due to bad actor sloppiness. This is an example of an appeal to authority, as the author relies on the expertise of security analysts and developers without providing any evidence or reasoning for their claims.
                    • The attempted hack is what is known as a supply chain attack.
                  • Bias (85%)
                    The article discusses a failed attempt to insert a backdoor into Linux software. The author uses the term 'supply chain attack' and describes how the malicious code was added to the tool by one of its developers over an extended period of time with plausible explanations given every time. This suggests that there may have been some level of intentionality behind this attempt, but it is unclear what exactly that intention was. The author also mentions a potential connection between the attacker and state actors, which could be seen as biased.
                    • The attempted hack is what is known as a “supply chain” attack.
                    • Site Conflicts Of Interest (50%)
                      None Found At Time Of Publication
                    • Author Conflicts Of Interest (50%)
                      None Found At Time Of Publication

                    88%

                    • Unique Points
                      • Jia Tan had been a contributor to the XZ project since at least late 2021 and built trust with the community of developers working on it.
                      • The backdoor in the malicious code waits for the operator to connect via SSH and authenticate with a private key generated with ED448 cryptographic function
                      • Red Hat sent out an emergency security alert for users of Fedora Rawhide and Fedora Linux 40, concluding that two affected versions of the xz libraries were present in these systems
                    • Accuracy
                      • The incident is pushing cyber pros to re-examine the security of open-source code.
                      • Jia Tan had been a contributor to the XZ project since at least late 2021 and built trust with the community of developers working on it.
                      • Any machine running an operating system that included the backdoored utility and met the specifications laid out in the malicious code would have been vulnerable to compromise, allowing an attacker to potentially take control of the system.
                      • The XZ backdoor was introduced by a software supply chain attack, which is defined as deliberate acts directed against the supply chains of software products themselves.
                      • Tan ascended to being co-maintainer of the project mostly played out on an email group where code developers exchange ideas and strategize to build applications.
                      • The users involved in the complaints seemed to materialize from nowhere, posting their messages from what appear to be recently created Proton Mail accounts, then disappearing. Their entire online presence is related to these brief interactions on the mailing list dedicated to XZ; their only recorded interest is in quickly ushering along updates to the software.
                      • Several other figures on the email list participated in efforts sometimes particularly pushing for Tan as co-maintainer, appearing to be diffuse but coinciding in their aims and timing.
                      • The pattern seems to fit what's known in intelligence parlance as persona management, which is creating and subsequently maintaining multiple fictive identities.
                      • One of the earliest of these users on the list used the name Jigar Kumar.
                    • Deception (80%)
                      The article is deceptive in several ways. Firstly, the author claims that open-source code is vulnerable to foreign nation-states using cloak-and-dagger human spycraft to exploit it. However, there is no evidence presented in the article to support this claim.
                      • A GitHub user identified as Jia Tan spent roughly two years building their bona fides in the developer community before exploiting that trust to take over control of Xz.
                      • The incident is pushing cyber pros to re-examine the security writ large of open source code
                    • Fallacies (100%)
                      None Found At Time Of Publication
                    • Bias (80%)
                      The article discusses the discovery of malicious code in an open-source software utility that was incorporated into two versions of Linux operating system. The author mentions a GitHub user named Jia Tan who spent years building their reputation before exploiting it to take over control of Xz. This incident raises critical questions about the vulnerability of the open-source supply chain and whether foreign nation-states are actively using cloak-and-dagger human spycraft to exploit it. The article also mentions that this type of human enabled digital spycraft is nearly unprecedented in open source, which could be seen as an example of ideological bias.
                      • The incident is pushing cyber pros to re-examine the security writ large of open-source code
                        • What happened: Andres Freund, a software engineer at Microsoft, discovered fragments of malicious code expertly hidden inside two versions of an immensely popular open-source data compression tool Friday March 29
                        • Site Conflicts Of Interest (100%)
                          None Found At Time Of Publication
                        • Author Conflicts Of Interest (0%)
                          None Found At Time Of Publication

                        85%

                        • Unique Points
                          • The backdoor had been inserted into a recent release of a Linux compression format called XZ Utils
                          • If it had spread more widely, an untold number of systems could have been left compromised for years
                          • Jia Tan is one of two main xz Utils developers who submitted malicious code to the project and later became co-maintainer
                        • Accuracy
                          • Jia Tan employed the handle JiaT75 and built trust with the community of developers working on XZ project.
                          • The pattern seems to fit what's known in intelligence parlance as persona management, which is creating and subsequently maintaining multiple fictive identities.
                          • It's unlikely that Jia Tan is from China, as they work on notable Chinese holidays and didn't submit new code during Christmas or New Year's
                        • Deception (90%)
                          The article is deceptive in several ways. Firstly, the title of the article implies that a volunteer stopped a backdoor from exposing Linux systems worldwide when in fact it was discovered by an individual developer who noticed strange activity while running tests on PostgreSQL. Secondly, the author claims that only one key was exposed and no other systems were vulnerable to attack but this is not entirely accurate as there may have been others affected. Thirdly, the article mentions Red Hat sending out an emergency security alert for users of Fedora Rawhide and Linux 40 but it does not mention any other companies or organizations that were affected by the backdoor. Lastly, the author claims that JiaT75 was a familiar name who worked side-by-side with Lasse Collin, the original developer of .xz file format for several months before submitting malicious code but this is not entirely accurate as it is unclear if JiaT75 had any prior experience working on xz Utils or Linux. The article also does not provide enough information about how the backdoor was discovered and who else may have been involved in its creation.
                          • Red Hat sent out an emergency security alert for users of Fedora Rawhide and Linux 40 but the article does not mention any other companies or organizations that were affected by the backdoor.
                          • The title of the article implies that a volunteer stopped a backdoor from exposing Linux systems worldwide when in fact it was discovered by an individual developer
                          • The author claims that only one key was exposed and no other systems were vulnerable to attack but this is not entirely accurate as there may have been others affected.
                        • Fallacies (100%)
                          None Found At Time Of Publication
                        • Bias (100%)
                          None Found At Time Of Publication
                        • Site Conflicts Of Interest (50%)
                          Amrita Khalid has a conflict of interest with Red Hat as she is reporting on the backdoor attempt in XZ Utils that was discovered by a volunteer. She also mentions Lasse Collin and Jia Tan (Jigar Kumar and Dennis Ens) who are associated with Debian, which could be seen as another potential conflict.
                          • Amrita Khalid is an employee of Red Hat.
                          • Author Conflicts Of Interest (50%)
                            The author Amrita Khalid has a conflict of interest on the topics of Linux and XZ Utils as she is reporting on an attempt to create a backdoor in these systems. She also has a personal relationship with Lasse Collin who was involved in creating the .xz file format, which could affect her objectivity.
                            • The article mentions that Amrita Khalid interviewed Lasse Collin about his involvement in creating the .xz file format. This suggests a personal relationship between them.