Hard Code | A gentle reminder: Nothing is unhackable

Last week, the discovery of an unusual behaviour of a small software utility set cybersecurity circles abuzz. The incident flew under the radar of mainstream media, but for the cybersecurity community, it was seismic. It put under question the safety and sanctity of one of the cornerstones of the software industry — specifically, the open-source software sector — and floated new fears about the lengths malicious attackers could go to in order to break into sensitive networks and computers.

To briefly summarise the complex chain of events and technical nuances: a widely used software utility that helps pack files and data into a compressed form, known as XZ-Utils, is used in open-source software built atop Linux and Unix. During one of its recent updates, a backdoor was discovered, which could potentially allow anyone to break into any system on which the utility is installed — which it often is as default.
The backdoor elicited a feverish response within the community.
For one, XZ-Utils is very widely used under the hood across Linux and other Unix operating systems to compress software packages, security updates, and even core system files. The backdoor breaks a secure communication format known as SSH, which also allows one computer to remotely connect to another, a feature used often not just by IT teams across organisations but even by people using computers for their work.
Linux and Unix are some of the most widely used operating systems (technically, there are versions of Linux called “distributions”, such as Fedora and Ubuntu) across tech companies, for financial services and healthcare, by government agencies, and in critical infrastructure — in other words, many sensitive sectors use this operating system that is otherwise unknown to everyday users.
Secondly, the backdoor appears to have been inserted by an as-yet unidentified individual who helped the original “maintainer” of XZ-Utils who went by the online identity Jia Tan. Tan earned a place among the maintainers to become a part of the normal open-source development workflow over a year ago. This is particularly worrying since open-source software, or OSS relies on transparent, trust-based collaboration to develop and maintain software.
The fact that malicious changes slipped in unnoticed, passed review and made their way into official release versions is a sobering breach of that trust model. It now raises deep questions about whether such compromises exist in other utilities or software, many of which are pivotal open-source projects that form the building blocks of today’s systems and services.
Third, what are the identity and motives of the actor who inserted that malicious piece of code? Such an act is technically called a supply chain attack, which is particularly devastating because it involves strategically inserting a weakness into dependent applications — think of it as a compromised piece of a foundation on which a multi-storey building rests.
The real-world demonstrations of what such a compromise could look like came in 2020. Hackers believed to be linked to Russia’s foreign intelligence service compromised versions of SolarWinds’ Orion network monitoring tool. The tainted updates were then distributed to around 18,000 customers, including US government agencies and major corporations, establishing covert access. Networks of nearly all sensitive American government departments were believed to have been compromised.
In the most recent case, the concern does not merely stem from hypotheticals. There were signs that there was a concerted effort to get Jia Tan to become one of the maintainers of XZ-Utils. The original maintainer is a person named Lasse Collin, who on several occasions had indicated was swamped with work to be able to roll out new updates. Enter a persona named Jigar Kumar, who prodded Collin to add another maintainer around at the same time as Tan became a regular contributor, suggesting improvements and fixes in the collaborative development.
Thaddeus Grugq, a cybersecurity pioneer, contends that the behaviour demonstrated by Tan and Kumar points to sophisticated HUMINT work, referring to a time-tested way in which intelligence agents function. “Every intelligence agency in the world could run this campaign, design and execute these operations. There is a serious level of technical acumen on display as well, the Jia Tan persona has to be able to do the work and talk the talk, but the core of this campaign is HUMINT,” he wrote in a thread on X.
“The entire campaign is very reasonably paced for an intelligence agency. They approach, get an agent in place, move the pieces into location, and then pull the trigger. Every stage is accomplished smoothly and with sufficient cover for action,” he adds in another post.
It may seem like an isolated incident, but it is important to recall both the SolarWinds attacks and the fact that countries like India are going full steam ahead with digitising the functions of the state and the lives of their citizens. As the XZ-Utils shows, nothing is unhackable. And it is not just the evolution of threat actors that make this true, it also has to do with technology. Today’s encryption is largely seen as vulnerable to the brute force power of quantum computing technologies when they do arrive in the future. At that point, the many encrypted databases squirrelled away by hackers today will likely be open, posing a risk to anyone whose data is compromised.
It is in this light that efforts to construct a digital future must be seen, especially for countries that have yet to put in place adequate technical, legal and procedural safeguards and mitigations.
Binayak Dasgupta, HT Page 1 editor, looks at the emerging challenges from technology and what society, laws and technology itself can do about them
Binayak reports on information security, privacy and scientific research in health and environment with explanatory pieces. He also edits the news sections of the newspaper. …view detail