Ultimately, Scott believes that these three years of code changes and polite emails were most likely used not to sabotage multiple software projects, but rather to establish a history of credibility for XZ Utils in particular and possibly other projects in the future. Be prepared for destruction. “He just never made it this far because we were lucky enough to find his stuff,” Scott said. “So now that’s been burned, he’s going to have to go back to square one.”
Technical scale and time zone
Raiu, a former Kaspersky chief researcher, believes that although Jatan is an individual, their years of preparation are the hallmarks of a well-organized, state-sponsored hacking group. The same goes for the technical characteristics of the XZ Utils malicious code added by Jia Tan. Raiu noted that at first glance, the code does look like a compression tool. “It was written in a very subversive way,” he said. Raiu said this is also a “passive” backdoor, so it doesn’t connect to a command and control server that might help identify the backdoor operator. Instead, it waits for the operator to connect to the target machine via SSH and authenticate using a private key (generated by a particularly strong cryptographic function called ED448).
Raiu noted that the backdoor’s elaboration could be the work of U.S. hackers, but he thinks that’s unlikely because the U.S. typically doesn’t compromise open source projects. If it did, the NSA would likely use quantum-resistant cryptography capabilities, which ED448 does not. . Raiu said this leaves non-U.S. groups with a history of supply chain attacks, such as China’s APT41, North Korea’s Lazarus Group and Russia’s APT29.
At first glance, Jatan does look East Asian—or maybe he does. The time zone submitted by Jia Tan is UTC+8: this is China’s time zone, which is only one hour away from North Korea’s time zone. However, analysis by two researchers, Rhea Karty and Simon Henniger, suggests that Jia Tan may have simply changed the computer’s time zone to UTC+8 before each commit. In fact, some commits were made by setting the computer to an Eastern European or Middle Eastern time zone, perhaps when Jatan forgot to make the change.
“Another sign that they are not from China is that they work during important Chinese holidays,” said Carty and Hennig, students at Dartmouth College and the Technical University of Munich respectively. They noted that Jia Tan also No new code was committed over Christmas or New Year’s. Developer Boehs added that for Eastern European or Middle Eastern time zones, most jobs start at 9 a.m. and end at 5 p.m. “The time frame of the submission indicates this was not a project they completed outside of work,” Boss said.
Dave Aitel, a former NSA hacker and founder of cybersecurity company Immunity, believes that although countries such as Iran and Israel are still possible, most clues point to Russia, especially the Russian APT29 hacking group . Aitel noted that APT29, which is widely believed to work for Russia’s foreign intelligence agency known as the SVR, has a reputation for technical caution that few other hacking groups possess. APT29 also conducted the Solar Winds attack, which may be the most well-coordinated and effective software supply chain attack in history. In comparison, this operation matches the style of the XZ Utils backdoor and is far superior to the more primitive supply chain attacks of APT41 or Lazarus.
“It was probably someone else,” Eitel said. “But I mean, if you’re looking for the most sophisticated supply chain attack on the planet, that’s going to be our good friend at SVR.”
Security researchers at least agree that Jatan is unlikely to be a real person, or even a person working alone. Instead, it became clear that the personas were the online embodiment of a new, well-organized organization’s new strategy—a strategy that almost worked. This means we should expect Jatan to return under another name: a seemingly polite and enthusiastic contributor to open source projects who hides the government’s secret intentions in his code commits.
Updated April 3, 2024 at 12:30 PM ET to note the possibility of Israeli or Iranian involvement.