Reflecting on JiaT75
I presented to a small crowd at DakotaCon in Madison, SD, precisely one week before the XZ Utils compromise. My talk, “Locking Down the Lifecycle: Integrating Security into CI/CD Processes,” shed light on the challenges defenders currently face in software security. The following two slides from my talk illustrate this reality.
When you factor all this information together, you must ask yourself a critical question.
If I were a state-sponsored threat actor, why wouldn’t I target software and its deployment systems?
Let’s dive deep into the mysterious world of the XZ Utils compromise.
Existing Literature
It’s likely that by now, the majority of people on the internet have heard about the chaotic events that took place. If you’ve only just stumbled upon this blog and are unaware of what happened, there are several excellent blogs and articles available for you to catch up on.
- Wiz — Backdoor in XZ Utils allows RCE: everything you need to know
- Wired — The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind
- Evan Boehs — Everything I Know About the XZ Backdoor
- Rhea — XZ Backdoor: Times, damned times, and scams
- Security Conversations — Costin Raiu on the XZ Utils Backdoor Investigation
- Thomas Roccia — XZ Diagram
An Entity, Not An Individual
After examining all the technical information available to us, it is evident that the compromise in the supply chain was the work of a state-sponsored actor. The identity known as JiaT75 was first established in 2021. Over the next few years, JiaT75 continued to make valuable contributions to the codebase to gain the open-source community’s trust. However, the situation drastically turned in late February 2024 when malicious commits were merged into the codebase. Why would an individual suddenly destroy the very project and all the goodwill they had earned over the past three years?
At first glance, one might think that this was a consequence of a mental breakdown or underlying illness. Perhaps, JiaT75 felt overwhelmed as an open-source maintainer and finally reached a breaking point. Underpayment and lack of recognition for OSS maintainers are significant issues in the industry. However, JiaT75’s commits indicate the opposite. The persona even included a happy face in their recent commit to Google’s oss-fuzz project. At face value, these don’t appear to be the words of someone who is stressed, unhappy, or irritated.
Security reporter Brian Krebs analyzed JiaT75’s registered email address and observed the following.
The email addresses used for a couple of years at least by the parties involved have absolutely *zero* trace in any kind data breach or database beyond Github/Gitlab, and maybe Tukaani and Debian and a few mailing lists. Normally when I see this, the assumption is that we’re dealing with a single-use or single-purpose email address that was created either for fraud or b/c someone is super paranoid about privacy.
It appears that JiaT75 is religiously connected from a Singapore IP address 185.128.24.163, but that Singapore IP address is associated with the VPN service Witopia. Given the technical sophistication of the backdoor, the duration of operation, the abrupt change in behavior, and JiaT75’s operational security, it is clear that this is the work of a state-sponsored actor.
Not A Western Threat Actor (FVEY)
The recent security breach involved a software supply chain compromise, where malicious code was incorporated into an open-source project widely used across the globe. Of particular interest is the way the backdoor’s cryptography is executed. Costin Raiu provides detailed insights into this implementation on Ryan Naraine’s podcast.
The algorithm they chose for this particular task is the Edwards curve 448, which is a bit unusual. Everywhere, pretty much everywhere if you look around on the internet nowadays people use the Elvar’s curve 25519 which provides 128 bits of security. It’s I would say the standard, standard nowadays. This curve, the one that we have here ED448, it provides a bit over 200 bits of security.
You may say 200 bits is better than 128, but in reality, with today’s technology, it makes no difference. Both of them are vulnerable to quantum computers. So if someone creates a quantum computer, a reasonably powerful one, it will break both versions. So the only reason to use that is maybe one, if they somehow suspect that somebody has a computing advance that allows them to break 25519 or in the near future, but not the more sophisticated ED448. Or the other thing that I was thinking here, they wanted to avoid exactly what you were saying, attribution by code similarity or engines or tools or AI spotting the ED25519 code in the air.
The Five Eyes (FVEY) is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States. While these Western based intelligence entities have the financial backing, time, and personnel to execute an attack on XZ Utils, there are a few reasons to rule them out.
- The Western-backed nation-state actors have other exploitation capabilities. It is likely to assume that these apparatuses have either OpenSSH zero days they can exploit or other capabilities at their disposal to accomplish their goal.
- A Western-backed nation would likely use a quantum-resistant algorithm instead of the ED448 curve. The National Security Security (NSA) has been extremely vocal about the need to migrate to quantum-resistant algorithms.
- A Western-backed nation would be subject to review boards and laws governing its operations. Potential infection of allies or innocent bystanders would be met with red tape.
Based off of the above, I think it is safe to conclude this is not the work of the FVEY nations.
Who Do I Think is Behind JiaT75?
As I progress through my doctoral program, my dissertation focus has been on exploring the complexities of software supply chain security. This topic has captured my attention due to its intricate and multifaceted nature, and I find it a fascinating and crucial area of study. One of the joys of conducting dissertation research is becoming intimately familiar with past events related to your research area. With that in mind, I thank JiaT75 for significantly adding to the literature for my upcoming research 😆.
I have always suspected that the XZ news might be the result of the activities of a North Korean threat actor, such as the notorious Lazarus Group or Diamond Sleet. This particular group has been extensively involved in exploiting vulnerabilities within software supply chains and targeting CI/CD (Continuous Integration/Continuous Deployment) infrastructure over the last four years.
As far back as July 2020, North Korean threat actors have been utilizing sock puppet accounts to target security researchers. Google’s Threat Assessment Group (TAG) has publicly documented two such campaigns. Here’s an excerpt from TAG’s first occurrence:
In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets. They've used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits and for amplifying and retweeting posts from other accounts that they control.
Their blog contains write-ups and analysis of vulnerabilities that have been publicly disclosed, including “guest” posts from unwitting legitimate security researchers, likely in an attempt to build additional credibility with other security researchers.
In TAG’s 2023 blog, we see similar behavioral pattern. Here’s another excerpt from that write-up:
Similar to the previous campaign TAG reported on, North Korean threat actors used social media sites like X (formerly Twitter) to build rapport with their targets. In one case, they carried on a months-long conversation, attempting to collaborate with a security researcher on topics of mutual interest. After initial contact via X, they moved to an encrypted messaging app such as Signal, WhatsApp or Wire. Once a relationship was developed with a targeted researcher, the threat actors sent a malicious file that contained at least one 0-day in a popular software package.
It’s important to note that JiaT75’s account was created around the same time (July 2021), and it’s hard to ignore that this recent activity seems to fit a particular pattern. It appears to be a sock puppet account that actively engages with the open-source community, specifically focusing on software supply chain compromises.
It’s important to note that much of the current attribution thesis is based on the timestamps of JiaT75’s git commits. Rhea Karty and Simon Henniger examined JiaT75’s commit history and found that most of the timestamps were associated with UTC+08. At times, Jia switched between +0800 and +0300/+0200 at an implausible time. It’s crucial to remember that JiaT75 used a VPN to route their traffic. Their operational security practices were very high, and we should only view the timestamps as a single data point in an assessment.
The analysis of timestamps aims to identify a pattern of life. State-sponsored operations typically function like regular jobs. Employees clock in, work, clock out, and celebrate holidays. North Korea is an outlier in this regard, as highlighted by Costin Raiu.
Elevating The Engineering Bar
In recent weeks, some security experts have raised suspicions that Russia’s SVR may be responsible for the XZ compromise. The SVR was previously linked to the SolarWinds Orion supply chain breach in 2021. Many believe that the XZ compromise, being a technically advanced supply chain attack carried out over an extended period, aligns with the SVR’s known tactics.
North Korean threat actors’ technical sophistication and opportunism have been quietly increasing. In early 2023, the 3CX software supply chain compromise was disclosed and was also attributed to North Korean actors. Mandiant has a fantastic write-up on the compromise. What is especially notable about this example is the leveraging of a cascading supply chain attack. Here’s an except from the Mandiant write-up:
In March 2023, Mandiant Consulting responded to a supply chain compromise that affected 3CX Desktop App software. During this response, Mandiant identified that the initial compromise vector of 3CX’s network was via malicious software downloaded from Trading Technologies website. This is the first time Mandiant has seen a software supply chain attack lead to another software supply chain attack.
What is even more interesting is that the 3CX portion of the compromise was not just the Windows specific version. The North Korean threat actors also backdoored the MacOSX version of the software, which is a more niche landscape. At the time, I was following Patrick Wardle’s research on Twitter/X. I would highly recommend watching his BlackHat 2023 talk which analyzed the OSX variant in detail. Overall, it is clear that North Korean threat actors are quickly increasing their scope of targets and are focused on downstream supply chain attacks.
Conclusion
I want to make it clear that what I am expressing is an opinion. Our technical data points about JiaT75’s identity are limited at this time, and conducting proper attribution is incredibly difficult. I am not solely focused on CTI, but rather, I am a practitioner from the application security space. It’s possible that the actor behind this could be the SVR or perhaps China. Personally, I have always leaned towards North Korea, and I wanted to share my perspective with the community. In intelligence, it’s essential to bring different perspectives to the table to avoid potential biases. With that, I hope you enjoyed this read and learned something new.
