Ultimately, Scott argues that those three years of code changes and polite emails were likely not spent sabotaging multiple software projects, but rather building up a history of credibility in preparation for the sabotage of XZ Utils specificallyâand potentially other projects in the future. âHe just never got to that step because we got lucky and found his stuff,â says Scott. âSo thatâs burned now, and heâs gonna have to go back to square one.â
Technical Ticks and Time Zones
Despite Jia Tanâs persona as a single individual, their yearslong preparation is a hallmark of a well-organized state-sponsored hacker group, argues Raiu, the former Kaspersky lead researcher. So too are the technical hallmarks of the XZ Utils malicious code that Jia Tan added. Raiu notes that, at a glance, the code truly looks like a compression tool. âItâs written in a very subversive manner,â he says. Itâs also a âpassiveâ backdoor, Raiu says, so it wouldnât reach out to a command-and-control server that might help identify the backdoorâs operator. Instead, it waits for the operator to connect to the target machine via SSH and authenticate with a private keyâone generated with a particularly strong cryptographic function known as ED448.
The backdoorâs careful design could be the work of US hackers, Raiu notes, but he suggests thatâs unlikely, since the US wouldnât typically sabotage open source projectsâand if it did, the National Security Agency would probably use a quantum-resistant cryptographic function, which ED448 is not. That leaves non-US groups with a history of supply chain attacks, Raiu suggests, like Chinaâs APT41, North Koreaâs Lazarus Group, and Russiaâs APT29.
At a glance, Jia Tan certainly looks East Asianâor is meant to. The time zone of Jia Tanâs commits are UTC+8: Thatâs Chinaâs time zone, and only an hour off from North Koreaâs. However, an analysis by two researchers, Rhea Karty and Simon Henniger, suggests that Jia Tan may have simply changed the time zone of their computer to UTC+8 before every commit. In fact, several commits were made with a computer set to an Eastern European time zone instead, perhaps when Jia Tan forgot to make the change.
âAnother indication that they are not from China is the fact that they worked on notable Chinese holidays,â say Karty and Henniger, students at Dartmouth College and the Technical University of Munich, respectively. Boehs, the developer, adds that much of the work starts at 9 am and ends at 5 pm for Eastern European time zones. âThe time range of commits suggests this was not some project that they did outside of work,â Boehs says.
All of those clues lead back to Russia, and specifically Russiaâs APT29 hacking group, argues Dave Aitel, a former NSA hacker and founder of the cybersecurity firm Immunity. Aitel points out that APT29âwidely believed to work for Russiaâs foreign intelligence agency, known as the SVRâhas a reputation for technical care of a kind that few other hacker groups show. APT29 also carried out the Solar Winds compromise, perhaps the most deftly coordinated and effective software supply chain attack in history. That operation matches the style of the XZ Utils backdoor far more than the cruder supply chain attacks of APT41 or Lazarus, by comparison.
âIt could very well be someone else,â says Aitel. âBut I mean, if youâre looking for the most sophisticated supply chain attacks on the planet, thatâs going to be our dear friends at the SVR.â
Security researchers agree, at least, that itâs unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organizationâa tactic that nearly worked. That means we should expect to see Jia Tan return by other names: seemingly polite and enthusiastic contributors to open source projects, hiding a governmentâs secret intentions in their code commits.