A silent cyberattack has nearly put computers around the world at risk

In 2020, XKCD , a popular Internet comic series, published a cartoon depicting an oscillating arrangement of blocks under the title: “The Entire Modern Digital Infrastructure.” There was a piece of thin brick sitting precariously at the bottom, holding it all together: “A project some random person in Nebraska has been thanklessly maintaining since 2003.” The illustration quickly became a cult classic among technically minded people because it highlighted a difficult truth: The software at the heart of the Internet is maintained not by giant corporations or sprawling bureaucracies, but by a handful of hard-working volunteers toiling in the dark. The cybersecurity panic of recent days shows how the outcome can be near-disaster.

On March 29th Andrew FreundEngineer microsoft, Published a short detective story. I noticed in recent weeks that SSH (a system for securely logging in to another device over the Internet) was running about 500 milliseconds slower than expected. Closer inspection revealed malicious code embedded in XZ Utils, a program designed to compress data used within the Linux operating system, which runs on virtually every publicly accessible server on the Internet. Ultimately, these servers support the Internet, including vital financial and government services. The malware could have served as a 'master key'. Allowing attackers to steal encrypted data or plant other malware.

The most interesting part of the story is how she got there. XZ Utils is open source software, which means its code is public and anyone can examine or modify it. In 2022, Lacey Cullen, a developer who supported him, found his “unpaid hobby project” becoming more burdensome amid long-term mental health issues. A developer named Jia Tan, who had created an account the previous year, offered to help. Over the course of more than two years, they contributed useful code hundreds of times, building trust. In February, they smuggled malware.

He says the significance of the attack is “tremendous.” Groove, a pseudonym for an independent security researcher who is very popular among cybersecurity professionals. “The backdoor is very strange in the way it is implemented, but it is a really clever thing and very subtle”; He suggests that it may be very subtle, because some steps taken in the code to hide its true purpose may have slowed it down and set off Mr. Freund's alarm. Jia Tan's patient approach, supported by several other accounts urging Cullen to hand over the baton, suggests that A sophisticated human intelligence operation by a government agency, Grojk suggests.

He suspects the Russian foreign intelligence service SVR, which in 2019-2020 also hacked SolarWinds Orion network management software to gain widespread access to US government networks. The analysis he conducted Rhea Carty And Simon Henger He notes that the mysterious Jia Tan made an effort to mimic their time zone, but they were probably two or three hours ahead of Greenwich Mean Time, suggesting they may have been in Eastern Europe or western Russia. But the evidence is currently too weak to pinpoint the culprit.

The attack is perhaps the most ambitious “supply chain” attack (an attack that exploits not a specific computer or device, but rather a piece of back-end software or hardware) in recent memory. It is also a clear example of the vulnerabilities of the Internet and the collaborative code that relies on it. For open source advocates, Freund's eagle eyes serve as proof of his thesis: the code is open, anyone can examine it, and bugs or intentional backdoors will eventually be discovered through crowd scrutiny.

Skeptics are less confident. Some debugging and code security tools detected anomalies in “No one expressed concern,” he writes. Kevin Beaumont, another cybersecurity specialist. Software engineers are still studying the inner workings of the backdoor, trying to understand its purpose and design. “The world owes Andrés free, unlimited beer,” Beaumont concludes. “He saved everyone's asses in his spare time.”

The attack was detected and stopped before it could cause widespread damage. There is no way to know whether Jia Tan, or the team apparently behind that person, investigated other vital pieces of Internet software under other aliases. But security researchers worry that the foundation of the Internet is vulnerable to similar campaigns. “The bottom line is that we have added untold billions of dollars to code developed by amateurs,” he says. Michael Zalewski, expert. There could be other undetected backdoors.

© 2024 The Economist Limited. All rights reserved.