Backdoor Hack That (Almost) Took Down Millions of Computers Focus of Pending Center for Cyber-Social Dynamics Podcast Episode

Earlier this year, Microsoft Developer Andres Freund was working on optimizing the performance of his computer. While he was combing through his programs, he noticed that one was using an unexpected amount of processing power, which led him to become suspicious.

The source of the problem? He discovered a backdoor hack in XZ Utils, a data compression utility used by many Linux-based computer applications. The repercussions could have been extremely dire because the utility – while not consumer-facing – supports important computing and internet functions like secure communications between devices.

The backdoor, put in motion by a mysterious developer in GitHub – a large and widely used platform for open-source code repositories used by developers the world over – was buried deep in the code in binary test files. The discovery, which Freund wisely posted to a security mailing list, led to a fortunate aversion to a large-scale security catastrophe that could have adversely impacted millions of users. Essentially, any machine running an operating system with the backdoor utility would have been vulnerable to being compromised, potentially allowing an attacker to take control.

The XZ backdoor, known as a software supply chain attack, is a hacking technique that has become increasingly common. They can take various forms, but the common goal is to hide malicious code – or malware in widely used and legitimate programs. What made this event so shocking to the cybersecurity and open-source software community was that the malware was injected into the utility by none other than the lead steward of the utility's code repository, a user who identified themselves as Jia Tan.

While nothing is known about Jia Tan’s identity, as reported by ARS Technica and Wired, the highly technical and sophisticated features of the hack combined with their approach to gaining (and, ultimately, controlling) access to the code have left many in the world of cybersecurity to speculate the actions are backed by state-sponsored actors. Very good ones.

The occurrence of the XZ Utils backdoor is the focus of an upcoming episode of the Center for Cyber-Social Dynamics (CCSD) Podcast, hosted by the center’s director John Symons, professor of philosophy at the University of Kansas, and David Tamez, assistant research professor and research program director with KU’s Institute for Information Sciences (I2S). CCSD is one of six bodies of research that make up the institute. The episode will showcase a discussion between the two hosts and I2S Director Perry Alexander about the significance of the event and the importance of safeguarding against similar cybersecurity threats.

The podcast episode, which should be available to the public sometime in May, can be found on the Center for Cyber-Social Dynamics website or wherever you find your podcasts.