An adversary does not need sophisticated technical expertise to execute a broad software supply chain attack like those pioneered by SolarWinds and CodeCov. Sometimes, all it takes is a little time and some clever social engineering.
This appears to have been the case for whoever introduced a backdoor into the file XZ Utils, open source data compression utility in Linux systems earlier this year. Analysis of the accident from Kaspersky this week, and similar reports from others in recent days, have identified the attacker as relying almost entirely on social manipulation to slide the back door in usefulness.
Social engineering the open source software supply chain
Disturbingly, this may be a pattern used by attackers to inject similar malware into other widely used open source projects and components.
In an advisory last week, the Open Source Security Foundation (OSSF) warned that the XZ Utils attack will likely not be an isolated incident. The alert identified at least one other case where a the opponent used similar tactics to those used on XZ Utils take control of the OpenJS Foundation for JavaScript projects.
“The OSSF and OpenJS Foundations ask all open source maintainers to be alert to social engineering takeover attempts, to recognize early emerging threat patterns, and to take steps to protect their open source projects,” the notice reads OSSF.
A Microsoft developer discovered the backdoor in newer versions of an XZ library called liblzma while investigating strange behavior around a Debian installation. At the time, only the unstable and beta versions of Fedora, Debian, Kali, openSUSE, and Arch Linux had the backdoor library, meaning it was pretty much a non-issue for most Linux users.
But the way the attacker introduced the backdoor is particularly worrying, Kasperksy said. “One of the key differentiators of the SolarWinds incident from previous supply chain attacks was the adversary’s sustained and covert access to the source/development environment,” Kaspersky said. “In this XZ Utils incident, this sustained access was achieved through social engineering and extended with fictitious human identity interactions in plain sight.”
A low and slow attack
The attack appears to have begun in October 2021, when an individual using the pseudonym “Jia Tan” submitted a harmless patch to the single-person XZ Utils project. Over the next few weeks and months, the Jia Tan account sent out numerous similar harmless patches (detailed in this timeline) to the XZ Utils project, which its sole maintainer, an individual named Lasse Collins, eventually began merging into the utility.
Starting in April 2022, a couple of other characters – one using the alias “Jigar Kumar” and the other “Dennis Ens” – began sending emails to Collins, prompting him to integrate Tan’s patches into XZ Utils at a faster pace.
Jigar Kumar and Dennis Ens’ characters gradually increased the pressure on Collins, eventually demanding that he add another maintainer to the project. Collins at one point reaffirmed his interest in maintaining the project, but confessed to being limited by “long-term mental health issues”. Ultimately, Collins gave in to pressure from Kumar and Ens and gave Jia Tan access to the project and the authority to make changes to the code.
“Their goal was to grant Jia Tan full access to the source code of XZ Utils and subtly introduce malicious code into XZ Utils,” Kaspersky said. “Identities also interact with each other in mail threads, complaining about the need to replace Lasse Collin as maintainer of XZ Utils.” The different characters involved in the attack – Jia Tan, Jigar Kumar and Dennis Ens – appear to have been deliberately made to appear to be from different geographical areas, to dispel any doubts about their working in concert. Another individual, or character, Hans Jansen, briefly emerged in June 2023 with new performance optimization code for XZ Utils that was integrated into the utility.
A large cast of actors
Jia Tan introduced the backdoor binary into the utility in February 2024 after gaining control of XZ Util’s maintenance tasks. Later, Jansen’s character resurfaced, along with two other characters, each of whom pressured major Linux distributors to introduce the backdoor utility into their distribution, Kasperksy said.
What is not entirely clear is whether the attack involved a small group of actors or a single individual who successfully handled several identity and manipulated the maintainer into giving him the right to make changes to the project’s code.
Kurt Baumgartner, principal researcher on Kaspersky’s global research and analytics team, told Dark Reading that additional data sources, including login and network flow data, could help in the investigation of the identities involved in the attack. “The world of open source is extremely open,” he says, “allowing shadowy identities to contribute questionable code to projects that represent major dependencies.”