Ultimately, Scott argues that those three years of code changes and polite emails were probably not spent sabotaging multiple software projects, but rather building a history of credibility in preparation for the sabotage of XZ Utils in particular – and possibly also of other projects in the future. “He never got around to it because we got lucky and found his stuff,” Scott said. “So that’s now burned, and he’ll have to go back to square one.”
Technical sign and time zones
Despite Jia Tan’s personality as an individual, their years of preparation is a hallmark of a well-organized, state-sponsored hacker group, argues Raiu, Kaspersky’s former chief researcher. This also applies to the technical characteristics of the XZ Utils malicious code that Jia Tan added. Raiu notes that at a glance the code really looks like a compression tool. “It was written in a very subversive way,” he says. It’s also a “passive” backdoor, Raiu says, so it wouldn’t be able to connect to a command-and-control server that could help identify the backdoor operator. Instead, it waits for the operator to connect to the target machine via SSH and authenticate with a private key, a key generated with a particularly strong cryptographic function known as ED448.
The careful design of the backdoor could be the work of US hackers, Raiu notes, but he suggests this is unlikely because the US would generally not sabotage open source projects – and if it did, the NSA would likely using a quantum-resistant cryptographic function. , which ED448 is not. That leaves non-US groups with a history of supply chain attacks, Raiu suggests, such as China’s APT41, North Korea’s Lazarus Group and Russia’s APT29.
At a glance, Jia Tan definitely looks East Asian, or that’s the intention. The time zone of Jia Tan’s commitments is UTC+8: that is China’s time zone, and just an hour away from North Korea’s. However, a analysis by two researchers, Rhea Karty and Simon Henniger, suggest that Jia Tan may have simply changed their computer’s time zone to UTC+8 before each commit. In fact, several commits were made using a computer set to an Eastern European time zone instead, perhaps when Jia Tan forgot to make the change.
“Another indication that they are not from China is the fact that they worked on major Chinese holidays,” said Karty and Henniger, students at Dartmouth College and TU Munich, respectively. Boehs, the developer, adds that much of the work starts at 9am and ends at 5pm for Eastern European time zones. “The time frame of the agreements suggests that this was not a project they were undertaking outside of work,” Boehs said.
All these clues lead back to Russia, and in particular the Russian hacking group APT29, argues Dave Aitel, a former NSA hacker and founder of the cybersecurity company Immunity. Aitel points out that APT29, which is widely believed to work for Russia’s foreign intelligence service known as the SVR, has a reputation for technical prowess of a kind that few other hacker groups display. APT29 also executed the Solar Winds Compromise, perhaps the most deftly coordinated and effective software supply chain attack in history. That operation, by comparison, is much closer to the backdoor style of XZ Utils than the cruder supply chain attacks of APT41 or Lazarus.
“It could very well be someone else,” Aitel says. “But I mean, if you’re looking for the most sophisticated malicious operations in the world, those are our dear friends at the SVR.”
In any case, security researchers agree that Jia Tan is unlikely to be a real person, or even just one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization – and one that almost worked. That means we can expect Jia Tan to return under different names: apparently polite and enthusiastic contributors to open source projects, who hide a government’s secret intentions in their code commits.