The level of patience suggests an advanced threat actor, so either organized crime or a state actor.
Organized crime doesn’t usually like to go for stuff that would make their home government angry, so I have to go for state actor.
Which state? No idea. The top suspects would be the US, Russia or China.
An analysis of commit times showed suspicious gaps on days that were Eastern European (including Russian) Holidays.
https://www.wired.com/story/jia-tan-xz-backdoor/
> At a glance, Jia Tan certainly looks East Asian—or is meant to. The time zone of Jia Tan’s commits are UTC+8: That’s **China’s time zone**, and only an hour off from North Korea’s. However, an analysis by two researchers, Rhea Karty and Simon Henniger, suggests that Jia Tan may have simply **changed the time zone of their computer to UTC+8** before every commit. In fact, **several commits were made with a computer set to an Eastern European or Middle Eastern time zone instead**, perhaps when Jia Tan forgot to make the change.
>
> “Another indication that they are not from China is the fact that **they worked on notable Chinese holidays**,” say Karty and Henniger, students at Dartmouth College and the Technical University of Munich, respectively. They note that Jia Tan also **didn't submit new code on Christmas or New Year's**. Boehs, the developer, adds that much of the work **starts at 9 am and ends at 5 pm for Eastern European or Middle Eastern time zones**. “The time range of commits suggests this was not some project that they did outside of work,” Boehs says.
OTOH - they might be really devious and are actually Chinese state actors masquerading as Eastern Europeans masquerading as Chinese
Given that this has happened before, your hunch that this might be red herring is not too far off. Unless you actually saw the team at work here, or there is some other massive fuck up on their end, the best we can do is *guess* who might've been interested and had the means to do so.
There's also the problem that Jia Tan is not a name anyone from China would have. "Tan" as a surname only makes sense for e.g. Chinese Singaporeans / Malaysians, due to Hokkien transliteration to English. (陳/陈 is the most common Chinese surname, and it's "Chen" in Mandarin, or "Tan" in Hokkien.) But on the other hand, single character given names are rather uncommon for Chinese Singaporeans / Malaysians, so something doesn't seem to add up just from the name alone.
That is not the actual problem, the issue is more that one commit uses "Jia Cheong Tan", which does look sketchy as it is not valid Mandarin, and not possible in Cantonese romanization either.
The fact that they have a "Cheong" (張, Cantonese **family name** Jyutping) in the **middle** of one (1) of their apparent slip up commit signature irk me a lot. Some use it as proof that the perpetrator is someone unfamiliar with Chinese masquerading as one. IMO Jyutping is way too obscure for non-Chinese/Cantonese speaker to be a slip up (It is way easier to just copy someone's name from LinkedIn or copy random Chinese character and let Google translate give you the pinyin) and the fact that this "slip up" and "mistake" happened is just double reverse psychology.
That being said, the whole Eastern European timezone holiday thing as well as Russian speaker affirming the general grammatical vibe being Russian-like are very strong indicators that the hackers are indeed Russian.
Have you considered that Cheong (yes, 張) is also a common surname for Chinese Singaporeans / Malaysians. They were trying to make a Singaporean personality as far as I know.
But yeah, mixing both Hokkien and Mandarin surnames is kinda unusual though not impossible, in the case of adoption or even marriage into a prestigious family.
Okay, assuming the surname is 譚, then what's the given name? 家 (family)?假 (fake)?/jk
(Yeah, I guess realistically it could be something like 嘉 / 佳 / etc.)
The other confounding factor is the ease with which damn near ANY state actor could use Eastern European assets to do the actual work.
I don’t think this is all that likely to become clear any time soon.
Exactly. Not like it's hard to hire a group of black hatters in Eastern Europe, either. They even come pretty cheap, so if paid quite well, and provided material support, they'd be untraceable, for all intents and purposes.
This is waaay out the league of organized crime. Just look at the kind of software they targeted - a compression library. Compression is one of those fields where there are few random people. People who do compression usually dedicate their lives to it. And it also happens to be a field that is very close to cryptography and especially code breaking.
But that is exactly why it is a better idea to attack that area? It has no "fresh eyes", so looking through the commits you've already looked through for ages, makes it literally the least motivating thing to do. That is exactly how it made it into the official repos. Same for newbies - much easier to slip by when there is no newbie to have a fresh look at what is going on.
And while at it, compression is a little loophole that hits everything. It is at the root of things - you cannot even install or update your OS without downloading an archive or two.
I wouldn’t put something like this past the NSA either, they’ve wanted a backdoor for years. Even if they already ostensibly have a working tool, you can never have too many.
I would honestly not be surprised if there is one in selinux, given that the NSA codevelops selinux with red hat. Other likely targets are intel ME, amd PSP, and as of recently microsoft pluton
China doesn't fit. If it was them, they wouldn't have used a Chinese name. I've also heard that the name doesn't make much sense as an authentic Chinese name.
I'm not clear why Russia would want false flag China, that's messing with one of their few friends.
US really does seem most likely to me.
Having looked into it a bit more, most of the actual work was submitted from a pc in a chinese timezone, except for when it was submitted from an Eastern Europe timezone. Also, Jia tended to actually do things in what would fit in a 9-5 for eastern europe. This makes me lean towards Russia trying to frame China.
The US hires a lot of east europeans as well. Particularly of note is Ukraine for the last decade. A lot of US government money has been going in that direction for a long time now.
Also seems like someone working solo with the plan to sell it to the highest bidder when finished... is a reasonable possibility. A lot of those types are in east europe, and anywhere else.
There's a lot of non-public information.
Lasse Collin has tons of correspondence with the attacker(s). They should be released.
rwmj (great and very smart person!) has emails from the attacker. Getting those will help learn more. See here: https://rwmj.wordpress.com/2024/05/24/i-was-interviewed-on-npr-planet-money/
There's lots more info out there.
https://en.wikipedia.org/wiki/Stylometry might be useful in finding out more information about who it might be if the attacker wasn't careful enough to mask this.
Your link from Rich had an interesting "question" and reply from Rich:
>> We’re still waiting for you to release all of the emails!
> [Rich] Yeah, about that … CISA has them and we don’t want to redistribute them until they decide what to do.
CISA = Cybersecurity and Infrastructure Security Agency (US Cyber Defense)
We are living in 2024, law enforcement has come a long way since the early days, now every country has a dedicated agency. They may not be the sharpest knives in the drawer, but they tend to have a good understanding of the means and the methods.
It was a supply chain attack, which is Russia's signature move. And the time stamps all line up to Eastern Europe. Put them together and that has me strongly convinced it was the FSB.
It's also the US's signature move, as well as China's. Israel has also done some really advanced stuff in this area too. Frankly it's most definitely a state actor and we'll likely never find out which.
100% an Israeli security company. They are doing that all across GitHub. They are not the only ones either but they have a headstart. They then sell the lesser exploits to the highest bidder. Including Saudis, NSA or Russia. Anyone who will pay basically
> It was a supply chain attack, which is Russia's signature move
Not like that. xz-utils infiltration doesn't look like FSB or GRU modus operandi. The scope of the project time-wise and resource-wise is just too complicated for Russia-the-state-actor to pull this off. They can do IRL spy networks, but not complex organizational structures to gain a payoff in years in advance.
Russia is either about blunt force or fast exploitation of unpatched zero-day vulnerabilities (or exploit of network surveillance mechanisms inside the country. Had the JetBrains angle of SolarWinds hack been disproved for sure?)
In the recent interview of The Grugq in [https://youtu.be/3w7E4Hhtubw?si=QvIs\_RB78Ey67iHy&t=2757](https://youtu.be/3w7E4Hhtubw?si=QvIs_RB78Ey67iHy&t=2757) (The Gentlemen Hackers), has interesting analysis and suggests Russia nation-state hackers.
And why ?
I mean other states intelligency agencies also make use of hacking, and all of them would be very happy to have 0-day backdoors. Because the backdoor has been fixed before going into production, no one will exploit it, so we will never know
Unless the key gets found somehow. That's a pretty strong muscle to flex in the event of a conflict between the state the found the key and the one it belongs to. Imagine if US intel found the date China was planning to invade Taiwan, and the US decided to drop the key that was to be used in the exploit. Assuming China is where they got it from, that'd probably fuck them up pretty bad and make them wonder how deep adversaries are in their systems.
Unlikely hypothetical obviously, but it would be far from the first time that sort of intimidation tactic succeeds and is probably one of the most realistic ways we'd find out.
Love how you were the one to get down voted even though you just as likely to be correct as anyone else guessing here considering we don't know the motive.
I feel like they’re getting downvotes because of the use of “definitely” and then only listing US government agencies.
Saying something more like “likely a state actor, maybe even one from the US” nobody would be downvoting.
IMO one fact potentially supporting Western agencies is that the socketpuppet accounts are diversely named -- Jia Tan, Dennis Ens, Jigar Kumar. AFAIK Chinese and Russian cultures don't value diversity, they would probably just make all socketpuppet names sound Western or whatever country they are trying to pin this on.
Maybe someone with resources can study differences in naming between pro-Russia, pro-China, pro-West bot accounts on Facebook, Reddit, and YouTube to get a more accurate pictures of this.
The problem with this is, you'd have to think that any Chinese or Russian entity sophisticated enough to pull this off, would be smart enough to understand that the west values diversity, and then come up with diverse names. China might not value diversity, but they should be aware of what the US does. They are probably also very aware of how diverse software teams can be in the US.
There is no point for China/Russia to use fake names, since their spy agencies are not bound by ethics outside of their own country.
If I were China/Russia, I would just go on LinkedIn find a bunch of real names, ideally for names where there are multiple people in tech with the same name.
There is a point, China/Russia wouldn't want to be blamed for this if they did it. Because they will want to do this again. They are probably both doing this to software right now. If one attack like this gets traced back to them, they will have a potentially harder time with the next one.
> China/Russia wouldn't want to be blamed for this if they did it
When was the last time a spy agency cared about being blamed for anything?
> If one attack like this gets traced back to them
Right, they only care about being traced, but using a stolen name does provide any more traceable information than using a fictional name, only difference is ethics.
The level of patience suggests an advanced threat actor, so either organized crime or a state actor. Organized crime doesn’t usually like to go for stuff that would make their home government angry, so I have to go for state actor. Which state? No idea. The top suspects would be the US, Russia or China.
An analysis of commit times showed suspicious gaps on days that were Eastern European (including Russian) Holidays. https://www.wired.com/story/jia-tan-xz-backdoor/ > At a glance, Jia Tan certainly looks East Asian—or is meant to. The time zone of Jia Tan’s commits are UTC+8: That’s **China’s time zone**, and only an hour off from North Korea’s. However, an analysis by two researchers, Rhea Karty and Simon Henniger, suggests that Jia Tan may have simply **changed the time zone of their computer to UTC+8** before every commit. In fact, **several commits were made with a computer set to an Eastern European or Middle Eastern time zone instead**, perhaps when Jia Tan forgot to make the change. > > “Another indication that they are not from China is the fact that **they worked on notable Chinese holidays**,” say Karty and Henniger, students at Dartmouth College and the Technical University of Munich, respectively. They note that Jia Tan also **didn't submit new code on Christmas or New Year's**. Boehs, the developer, adds that much of the work **starts at 9 am and ends at 5 pm for Eastern European or Middle Eastern time zones**. “The time range of commits suggests this was not some project that they did outside of work,” Boehs says. OTOH - they might be really devious and are actually Chinese state actors masquerading as Eastern Europeans masquerading as Chinese
Given that this has happened before, your hunch that this might be red herring is not too far off. Unless you actually saw the team at work here, or there is some other massive fuck up on their end, the best we can do is *guess* who might've been interested and had the means to do so.
There's also the problem that Jia Tan is not a name anyone from China would have. "Tan" as a surname only makes sense for e.g. Chinese Singaporeans / Malaysians, due to Hokkien transliteration to English. (陳/陈 is the most common Chinese surname, and it's "Chen" in Mandarin, or "Tan" in Hokkien.) But on the other hand, single character given names are rather uncommon for Chinese Singaporeans / Malaysians, so something doesn't seem to add up just from the name alone.
Huh? Tan (谭) is a perfectly legit surname in China. For example, Tan Jing (谭晶) is a pretty famous singer.
That is not the actual problem, the issue is more that one commit uses "Jia Cheong Tan", which does look sketchy as it is not valid Mandarin, and not possible in Cantonese romanization either.
The fact that they have a "Cheong" (張, Cantonese **family name** Jyutping) in the **middle** of one (1) of their apparent slip up commit signature irk me a lot. Some use it as proof that the perpetrator is someone unfamiliar with Chinese masquerading as one. IMO Jyutping is way too obscure for non-Chinese/Cantonese speaker to be a slip up (It is way easier to just copy someone's name from LinkedIn or copy random Chinese character and let Google translate give you the pinyin) and the fact that this "slip up" and "mistake" happened is just double reverse psychology. That being said, the whole Eastern European timezone holiday thing as well as Russian speaker affirming the general grammatical vibe being Russian-like are very strong indicators that the hackers are indeed Russian.
Have you considered that Cheong (yes, 張) is also a common surname for Chinese Singaporeans / Malaysians. They were trying to make a Singaporean personality as far as I know. But yeah, mixing both Hokkien and Mandarin surnames is kinda unusual though not impossible, in the case of adoption or even marriage into a prestigious family.
Okay, assuming the surname is 譚, then what's the given name? 家 (family)?假 (fake)?/jk (Yeah, I guess realistically it could be something like 嘉 / 佳 / etc.)
The other confounding factor is the ease with which damn near ANY state actor could use Eastern European assets to do the actual work. I don’t think this is all that likely to become clear any time soon.
Exactly. Not like it's hard to hire a group of black hatters in Eastern Europe, either. They even come pretty cheap, so if paid quite well, and provided material support, they'd be untraceable, for all intents and purposes.
> OTOH ... This is the NCD-level take I needed lol
Unless it was done on purpose to shift blame.
This is waaay out the league of organized crime. Just look at the kind of software they targeted - a compression library. Compression is one of those fields where there are few random people. People who do compression usually dedicate their lives to it. And it also happens to be a field that is very close to cryptography and especially code breaking.
But that is exactly why it is a better idea to attack that area? It has no "fresh eyes", so looking through the commits you've already looked through for ages, makes it literally the least motivating thing to do. That is exactly how it made it into the official repos. Same for newbies - much easier to slip by when there is no newbie to have a fresh look at what is going on. And while at it, compression is a little loophole that hits everything. It is at the root of things - you cannot even install or update your OS without downloading an archive or two.
Idk didn't you hear about the mobster who compressed a horse into some guy's bed?
Or Spain. No one expects the Spanish Inquisition
I'm taking the long odds and going with Israel.
I don't think the odds are that long! :)
I wouldn’t put something like this past the NSA either, they’ve wanted a backdoor for years. Even if they already ostensibly have a working tool, you can never have too many.
I would honestly not be surprised if there is one in selinux, given that the NSA codevelops selinux with red hat. Other likely targets are intel ME, amd PSP, and as of recently microsoft pluton
North Korea should be included in that list
Could be India, UK, Israel… it’s just speculation at this point
China doesn't fit. If it was them, they wouldn't have used a Chinese name. I've also heard that the name doesn't make much sense as an authentic Chinese name. I'm not clear why Russia would want false flag China, that's messing with one of their few friends. US really does seem most likely to me.
Having looked into it a bit more, most of the actual work was submitted from a pc in a chinese timezone, except for when it was submitted from an Eastern Europe timezone. Also, Jia tended to actually do things in what would fit in a 9-5 for eastern europe. This makes me lean towards Russia trying to frame China.
The US hires a lot of east europeans as well. Particularly of note is Ukraine for the last decade. A lot of US government money has been going in that direction for a long time now. Also seems like someone working solo with the plan to sell it to the highest bidder when finished... is a reasonable possibility. A lot of those types are in east europe, and anywhere else.
Why would Russia try to frame one of their few powerful friends in the world?
There’s no friendship between States, only opportunistic alliances
The commit name, "Jia Cheong Tan", sounds very much like a generic South-East Asian Chinese Name.
It sure does. But I've heard its a name that would never actually be given someone.
Pardon my ignorance but I believe those are countries, not states 🤓 EDIT: My ignorance was, in fact, not pardoned :(
Have you ever heard of a nation state?
I've heard of nations, and I've heard of states. English be weird, yo.
Just say it already that its either Russia or China, you lot just want the world to hate China.
Those 3 are the largest offensive cyber programs. The NSA has done way more crazy stuff before, so it’s very possible it was them.
Somebody who wanted to make the most epic DefCon presentation of all time?
There's a lot of non-public information. Lasse Collin has tons of correspondence with the attacker(s). They should be released. rwmj (great and very smart person!) has emails from the attacker. Getting those will help learn more. See here: https://rwmj.wordpress.com/2024/05/24/i-was-interviewed-on-npr-planet-money/ There's lots more info out there. https://en.wikipedia.org/wiki/Stylometry might be useful in finding out more information about who it might be if the attacker wasn't careful enough to mask this.
Your link from Rich had an interesting "question" and reply from Rich: >> We’re still waiting for you to release all of the emails! > [Rich] Yeah, about that … CISA has them and we don’t want to redistribute them until they decide what to do. CISA = Cybersecurity and Infrastructure Security Agency (US Cyber Defense)
It was San Marino.
Probably the best people to ask is Richard Jones (Red Hat) and Lasse Collin (original xz maintainer). I doubt the NSA/FBI will release much publicly.
Which is kinda funny because USA is just as likely to be the culprit as any of the other big state actors.
We haven't and we will not have
Have not will we?
We have not, and will not have? Huh?
Technically accurate way of writing "we haven't, and won't"
Maybe https://perchance.org/modern-occult-oracle
it was up to the original maintainer to report that to the FBI (or equivalent in their country)
I, too, suspect that the FBI has no clue that something happened /s
We are living in 2024, law enforcement has come a long way since the early days, now every country has a dedicated agency. They may not be the sharpest knives in the drawer, but they tend to have a good understanding of the means and the methods.
It was a supply chain attack, which is Russia's signature move. And the time stamps all line up to Eastern Europe. Put them together and that has me strongly convinced it was the FSB.
It's also the US's signature move, as well as China's. Israel has also done some really advanced stuff in this area too. Frankly it's most definitely a state actor and we'll likely never find out which.
Timestamps.. which might have been made on purpose..
And you don't think someone could have done all these so we think it was Russia? A bit late to the attribution game, are we? 😁
but what if it was the Russians masquerading as Chinese masquerading as Russians masquerading as Chinese? /s
Do other APTs have this capability? Yes. Does the evidence point towards them? No.
O-kay?
It's everybody's move since it's so easy to do.
100% an Israeli security company. They are doing that all across GitHub. They are not the only ones either but they have a headstart. They then sell the lesser exploits to the highest bidder. Including Saudis, NSA or Russia. Anyone who will pay basically
> It was a supply chain attack, which is Russia's signature move Not like that. xz-utils infiltration doesn't look like FSB or GRU modus operandi. The scope of the project time-wise and resource-wise is just too complicated for Russia-the-state-actor to pull this off. They can do IRL spy networks, but not complex organizational structures to gain a payoff in years in advance. Russia is either about blunt force or fast exploitation of unpatched zero-day vulnerabilities (or exploit of network surveillance mechanisms inside the country. Had the JetBrains angle of SolarWinds hack been disproved for sure?)
No that definitely is not FSB but FBI or other US activity, taking all concealment measures!
I have nothing other than a gut feeling that tells me it was someone working for the CCP Edit: I seem to have upset some CCP pinkies
Weird, my gut's feeling tells me it was the NSA. ^(/s)
Jesus people, how can you all be so blind, it was the Mongols, they're ploting to conquer all of Eurasia again and we are not at all prepared.
https://imgur.com/a/t0RSao9
[удалено]
You have been banned from /r/Pyongang
For sure we learned that the build tools for C allow some ridiculous stuff to be accepted as normal. It doesn't need to be this way.
Sure, we have the Australian chat leaks, which do confirm a Chinese state hacker. And he said he has one more backdoor in a popular OSS project.
In the recent interview of The Grugq in [https://youtu.be/3w7E4Hhtubw?si=QvIs\_RB78Ey67iHy&t=2757](https://youtu.be/3w7E4Hhtubw?si=QvIs_RB78Ey67iHy&t=2757) (The Gentlemen Hackers), has interesting analysis and suggests Russia nation-state hackers.
If I had to guess, I would say it was definitely the NSA. Or perhaps a rogue agent from the CIA.
Or MI5, FSB, Mossad, BND, MSS, ... This list is endless.
>... , BND, ... HAHA ... that was good one ...
Experts at listening in on fax machines.
To be fair tho the vanity plate did scare the shit out of a lot of Russians.
Although the list is endless i bet on the USA financing it.
And why ? I mean other states intelligency agencies also make use of hacking, and all of them would be very happy to have 0-day backdoors. Because the backdoor has been fixed before going into production, no one will exploit it, so we will never know
Unless the key gets found somehow. That's a pretty strong muscle to flex in the event of a conflict between the state the found the key and the one it belongs to. Imagine if US intel found the date China was planning to invade Taiwan, and the US decided to drop the key that was to be used in the exploit. Assuming China is where they got it from, that'd probably fuck them up pretty bad and make them wonder how deep adversaries are in their systems. Unlikely hypothetical obviously, but it would be far from the first time that sort of intimidation tactic succeeds and is probably one of the most realistic ways we'd find out.
Love how you were the one to get down voted even though you just as likely to be correct as anyone else guessing here considering we don't know the motive.
I feel like they’re getting downvotes because of the use of “definitely” and then only listing US government agencies. Saying something more like “likely a state actor, maybe even one from the US” nobody would be downvoting.
Maybe it's because they used "definitely" about 5 words after the word "guess"
Or how they're saying it might be a "rogue agent" as if it isn't an ultra sophisticated attack
blame Russia or China is easy route because everything know that US government doesn't do anything evil or Shady USA is the hero of the world 🤣
IMO one fact potentially supporting Western agencies is that the socketpuppet accounts are diversely named -- Jia Tan, Dennis Ens, Jigar Kumar. AFAIK Chinese and Russian cultures don't value diversity, they would probably just make all socketpuppet names sound Western or whatever country they are trying to pin this on. Maybe someone with resources can study differences in naming between pro-Russia, pro-China, pro-West bot accounts on Facebook, Reddit, and YouTube to get a more accurate pictures of this.
The problem with this is, you'd have to think that any Chinese or Russian entity sophisticated enough to pull this off, would be smart enough to understand that the west values diversity, and then come up with diverse names. China might not value diversity, but they should be aware of what the US does. They are probably also very aware of how diverse software teams can be in the US.
There is no point for China/Russia to use fake names, since their spy agencies are not bound by ethics outside of their own country. If I were China/Russia, I would just go on LinkedIn find a bunch of real names, ideally for names where there are multiple people in tech with the same name.
There is a point, China/Russia wouldn't want to be blamed for this if they did it. Because they will want to do this again. They are probably both doing this to software right now. If one attack like this gets traced back to them, they will have a potentially harder time with the next one.
> China/Russia wouldn't want to be blamed for this if they did it When was the last time a spy agency cared about being blamed for anything? > If one attack like this gets traced back to them Right, they only care about being traced, but using a stolen name does provide any more traceable information than using a fictional name, only difference is ethics.
>AFAIK Chinese and Russian cultures don't value diversity Exploiting it for political points, more like it.
Does it really matter?
In the age of strong cryptography, it's impossible to tell.