The xz backdoor was the final part of a campaign that spanned two years of operations. These operations were predominantly HUMINT style agent operations. There was an approach that lasted months before the Jia Tan persona was well positioned to be given a trusted role.
The trigger for this “Quest for Maintainer” operation was a very long patch which was exactly the sort of thing that the maintainer was not able to process particularly well. New personas appeared to push on this issue. Jigar Kumar was the spearhead for this op.
The JK persona hounds Lasse (the maintainer) over multiple threads for many months. Fortunately for Lasse, his new friend and star developer is there, and even more fortunately, JT has the time available to help out with maintenance tasks. What luck!
This is exactly the style of operation a HUMINT organisation will run to get an agent in place. They will
position someone and then create a crisis for the target, one which the agent is able to solve.
Every intelligence agency in the world could run this campaign, design and execute these operations. There is a serious level of technical acumen on display as well, the Jia Tan persona has to be able to do the work and talk the talk, but the core of this campaign is HUMINT.
The real treasure in the GitHub repository was the pull request comments. This is where the tradecraft of agent interactions could be observed. The PR threads and the xz mailing list reveal the tradecraft used by this group. Including some revealing errors in their persona covers
The xz campaign was patient, but it wasn’t slow. Jia Tan introduces himself around March 2022, and by January 2023 he is announcing an xz release. In March 2023 he takes over signing release tarballs.
12 months to go from zero to maintainer. That is not slow, that’s fast af
In 2023 the operation to get the ifunc hook added to xz takes up the latter half of the year. They aren’t merged until October of 2023. There are cover operations that happen during this time as well, including an operation to lend credibility to the ifunc patch.
The entire campaign is very reasonably paced for an intelligence agency. They approach, get an agent in place, move the pieces into location, and then pull the trigger. Every stage is accomplished smoothly and with sufficient cover for action.
The way the campaign is falling apart under scrutiny is to be expected. They did not build a campaign to resist investigation, they built a campaign to avoid investigation. And they were successful. At no point in the campaign did they raise suspicion. It was just their bad luck.
Briefly, I want to address the issue of who is to blame. Easy — the people behind the attack. Lasse, the maintainer of xz, was the target of a patient intelligence campaign that invested more resources into subverting him than anyone invested into his project.
It is important to remember that Lasse is blameless in this. There is no individual, and very very few organisations, able to detect, let alone resist!, the directed interest of an intelligence agency.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
1/What I learned about B2B sales strategies from Robert Hanssen’s 20 year career of espionage, some lessons on closing deals and keeping clients happy. #SalesTips #Espionage
🧵⤵️
2/ First lesson: Trust your gut and set your own terms. Hanssen didn’t rely on Soviet tradecraft; he made them use his own. Moral? Don’t always follow the client’s lead. Sometimes, you need to dictate the process to ensure success. #SalesStrategy
3/ Second lesson: Communication isHanssenut keep it subtle. Once, the Soviets left his payment in the wrong spot. A quick, coded call resolved it. In sales, open communications channels can save deals from going off-track. #Communication
Telegram is a social media platform, not a secure messenger. The primary use of the system is for groups, with one to one messaging occupying the same space as Twitter DMs.
Signal and Telegram address very different markets.
There is no Signal Telegram dichotomy. Signal is a secure messenger, Telegram is a social media app.
Telegram is constantly misrepresented as a secure messenger. It is not. It is a social media network with optional “privacy”¹ for direct messages.
It is hard to see how the developer Jia Tan is innocent. The backdoor was added in 5.6.0 by his account. He contacted Fedora to push them to move to 5.6.0. There was a problem with valgrind, they worked with hi to resolve it. He commits the fix in 5.6.1.
If Jia Tan did not commit the backdoor in 5.6.0, and his account was hijacked, it strains credulity that he worked on fixing an issue introduced from a fraudulent commit in his name without noticing. Instead, he worked with Fedora to resolve the issue and committed a fix.
Seriously though, these sorts of attacks have been categorised as counter value operations (the Douhet strategy). And I’m willing to believe that is the Kremlin strategy here.
I just wonder if the mid level commanders believe it will work?
@ravirockks @onixIT Or, are they just doing what they get told to do / what they know their bosses expect them to do?
If you spent a couple months gaining access to Kyivstar and then destroy everything just because “it’s Monday” wouldn’t you feel like you’ve wasted your time?
@ravirockks @onixIT It’s totally pointless to spend so many resources to cause so little strategic change.
Of course, this seems to be the Russian theory of victory — waste massive resources, achieve nothing of strategic value.
A critical security feature is self cleansing (this is one of the reasons you cannot have secure email). The next critical component is strong encryption with PFS. The third leg of the “actually secure” tripod is anonymous + disposable accounts. Nothing ticks all the boxes.
External Tweet loading...
If nothing shows, it may have been deleted
by @flyryan view original on Twitter
Signal: self cleansing, strong encryption, accounts are linked to a smartcard
Possibly the only safe option is a self hosted Signal service with customized apps, but there’s no documentation or Docker for setting one up. And it wouldn’t scale to a large enough population to provide cover traffic. Maybe XMPP + OMEMO, but that’s a different set of problems.