The xz backdoor was the final part of a campaign that spanned two years of operations. These operations were predominantly HUMINT style agent operations. There was an approach that lasted months before the Jia Tan persona was well positioned to be given a trusted role.

The trigger for this “Quest for Maintainer” operation was a very long patch which was exactly the sort of thing that the maintainer was not able to process particularly well. New personas appeared to push on this issue. Jigar Kumar was the spearhead for this op.

The JK persona hounds Lasse (the maintainer) over multiple threads for many months. Fortunately for Lasse, his new friend and star developer is there, and even more fortunately, JT has the time available to help out with maintenance tasks. What luck!

This is exactly the style of operation a HUMINT organisation will run to get an agent in place. They will
position someone and then create a crisis for the target, one which the agent is able to solve.

Every intelligence agency in the world could run this campaign, design and execute these operations. There is a serious level of technical acumen on display as well, the Jia Tan persona has to be able to do the work and talk the talk, but the core of this campaign is HUMINT.

The real treasure in the GitHub repository was the pull request comments. This is where the tradecraft of agent interactions could be observed. The PR threads and the xz mailing list reveal the tradecraft used by this group. Including some revealing errors in their persona covers

The xz campaign was patient, but it wasn’t slow. Jia Tan introduces himself around March 2022, and by January 2023 he is announcing an xz release. In March 2023 he takes over signing release tarballs.
12 months to go from zero to maintainer. That is not slow, that’s fast af

In 2023 the operation to get the ifunc hook added to xz takes up the latter half of the year. They aren’t merged until October of 2023. There are cover operations that happen during this time as well, including an operation to lend credibility to the ifunc patch.

The entire campaign is very reasonably paced for an intelligence agency. They approach, get an agent in place, move the pieces into location, and then pull the trigger. Every stage is accomplished smoothly and with sufficient cover for action.

The way the campaign is falling apart under scrutiny is to be expected. They did not build a campaign to resist investigation, they built a campaign to avoid investigation. And they were successful. At no point in the campaign did they raise suspicion. It was just their bad luck.

Briefly, I want to address the issue of who is to blame. Easy — the people behind the attack. Lasse, the maintainer of xz, was the target of a patient intelligence campaign that invested more resources into subverting him than anyone invested into his project.

It is important to remember that Lasse is blameless in this. There is no individual, and very very few organisations, able to detect, let alone resist!, the directed interest of an intelligence agency.