Secret of ‘Jia Tan,’ XZ Backdoor Mastermind


In the end, Scott says that three years of polite code and email changes may not have ruined a few projects, but built a solid reputation for preparing for the crash of XZ Utils in particular—as well as other future projects. “He didn’t get to that stage because we got lucky and got his stuff,” says Scott. “So they’re fired up now, and they have to go back to square one.”

Technical tickets and Time Zones

Although Jia Tan appears to be a single person, their years of preparation are the hallmark of a state-sponsored fraud group, argues Raiu, a former Kaspersky researcher. Likewise with the technical indicators of XZ Utils malicious code Jia Tan was added. Raiu observes that, gradually, the code is seen as a tool of oppression. He said: “It was written in a confusing way. It’s also “backdoored,” Raiu says, so it can’t reach a command-and-control server that can help detect a backdoor user. Instead, it waits for the user to connect to the target machine via SSH and authenticate with a private key—generated by a very strong encryption service called ED448.

The careful design of the backdoor could be the work of US hackers, Mr. Raiu says, but he points out that it is unlikely, because the US would not destroy open source projects – and if it did, the NSA would use non-cryptographic forms. , which ED448 is not. This leaves non-US groups with a history of supply chain attacks, Raiu points out, as China APT41, North Korea’s Lazarus Groupand Russian APT29.

At first glance, Jia Tan looks East Asian—or is supposed to. The time Jia Tan did is UTC+8: It is China time, and only one hour from North Korea. However, a analysis by two researchers, Rhea Karty and Simon Henniger, suggest that Jia Tan may have simply changed their computer’s time to UTC+8 before doing anything. Instead, several actions were created by a computer set in the Eastern European time zone instead, possibly after Jia Tan forgot to switch.

“Another sign that they are not from China is that they worked on a popular Chinese holiday,” said Karty and Henniger, students at Dartmouth College and TU Munich, respectively. Boehs, the programmer, adds that most jobs start at 9 am and end at 5 pm in eastern Europe. “The timing of what he did shows that this was not an off-duty job,” Boehs says.

It all goes back to Russia, specifically the Russian group APT29, argues Dave Aitel, a former NSA hacker and founder of cybersecurity firm Immunity. Aitel points out that APT29, widely believed to be working for Russia’s foreign intelligence agency SVR, has a reputation for handling technology that few other groups display. APT29 happened again Solar Winds partnership, perhaps the most sophisticated and effective communication technique for software attacks in history. The operation resembles the XZ Utils backdoor style more than it does with APT41 or Lazarus, by comparison.

Aitel said: “He could be someone else.” “But I mean, if you’re looking for the worst performance in the world, then they’re going to be our dear friends at SVR.”

Security researchers admit, perhaps, that it is unlikely that Jia Tan is a real person, or even that one person is acting alone. In fact, it seems clear that the persona was an online representation of a new strategy from a new, well-organized organization – and one that was about to work. This means that we should expect to see Jia Tan come back with other names: those who seem to be polite and enthusiastic who help to open projects, hiding the secret intentions of the government in their documents.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *