What are the causes of disasters? A few weeks ago, Andres Freund, an engineer at Microsoft, noticed a half-second increase in the processing of several Internet connections by SSH, a tool for securing them. At this point, some colleagues would have just said to themselves: well, too bad. But Freund decided at the end of March, in his free time, to follow the white rabbit. He then realizes, deep down, that a code modification in an obscure catalog of open source software used on the Linux operating system for data compression, called X-Utils, is at the origin of the problem. And that it is not trivial.
The computer scientist discovers a real “back door”. Either a kind of vulnerability, deliberately installed, allowing a potential attacker to install malicious programs on a user’s machine, or perhaps to divert information. This is where the matter becomes serious: a large majority of servers around the world, like those housing the data of multinationals, financial bodies or even administrations, run on Linux and use its SSH connections. So, long story short, someone was about to build a cyberespionage tool of colossal scale. Perhaps even unprecedented.
Open source, a valuable but fragile resource
This is also what the New York TimesTHE Guardian or The Economist, who took turns loudly relaying the alert triggered by Andres Freund. Publicly congratulated by his boss, Satya Nadella, the engineer has become a demigod among developers. “I am a fairly discreet person who sits in front of his computer and tinkers with code,” he humbly described himself to from the first media cited. However, most cybersecurity experts agree that his intervention was decisive. The hacker had recently implemented his poison. All that was missing was end-user updates. Which almost didn’t have time to do it, or quickly corrected it via one of the applications published shortly after Freund’s discovery who, let’s remember, is not paid for this specific mission.
Like thousands of others, he is one of these digital patrollers, acting voluntarily to keep up to date – mainly, to secure them – open source software, free to consult, use, and for trusted users, modify . This is the first lesson of this story: these rare people are infinitely valuable for the global Internet. Because this is nothing new, these open source systems are by definition critical. Their accessibility and ease of implementation have made them the basic technological building blocks of the global Internet for twenty to thirty years. To the point of being “a victim of their success” and suffering “from a lack of resources dedicated to their maintenance”, remarked a study from the French Institute of International Relations (Ifri), at the end of 2022. That is to say one year after the discovery of a vulnerability which had already set the cyber world in turmoil, this one unintentionally, called Log4Shell.
Infiltration
Ifri, among other serious institutes, recalled the growing concern of governments towards “the manipulation of codes by criminals and foreign agents”. Since the latter can, via this software, trace back to targets in a circuitous and almost invisible manner. Carry out fearsome “supply chain attacks,” as experts call them. This is the second lesson: this fragility continues, and the attackers are determined to take advantage of it. The dark scenario of X-Utils is a cruel illustration of this.
And by putting the shapes into it. Jia Tan, that’s his nickname, would be the author of the “back door” according to the first evidence collected. Quoted by Wired, Costin Raiu, head of the global research and analysis team at Russian cybersecurity company Kaspersky, believes that he (or perhaps even “they”) is acting on behalf of a “state-backed group -nations”. Russia, China, Iran, the usual suspects in this type of business? Impossible to say. This observation is in any case pronounced because of the particularly elaborate modus operandi of the attack.
Tan registered in mid-2021 on GitHub, the open source benchmark. He participates in the smooth running of a handful of projects, before focusing specifically on X-Utils. It is not yet clear whether this is because of his importance or rather because he was somewhat neglected by his usual protector, a man named Lasse Collin, notably for medical reasons. Still, the choice pays off. The hacker offers hundreds of modifications. All legitimate. Useful, one way or another. He multiplies the exchange of emails, as if nothing had happened. Gain everyone’s trust. In 2023, other contributors – presumably in on the action – come to support Jia Tan’s takeover. Which ends up offering applicable updates at the beginning of 2024. Almost three years after its first appearance. A patience and self-sacrifice that challenge. Which leads to the third and final lesson, the most worrying: it is not impossible that dozens of Jia Tans are currently working behind the scenes on other software. Without, for the moment, arousing the suspicions of the vigilant Andres Freund.
.