This guy may have just stopped a massive cyberattack – Tech News (Trending Perfect)


The story began earlier this year, when Freund was returning from visiting his parents in Germany. While reviewing the log of automated tests, he noticed some error messages that he did not recognize. He was jet-lagged, and the letters didn't seem urgent, so he committed them to memory.

But a few weeks later, while running more tests at home, he noticed that an application called SSH, which is used to log in to remote computers, was using more processing power than usual. He traced the problem to a suite of data compression tools called xz Utils, and wondered if it was related to previous bugs he'd seen.

“This would have been the most widespread and effective backdoor ever introduced into any software product.”

Alex Stamos, chief trust officer at SentinelOne, a cybersecurity research firm

(Don't worry if these names sound Greek to you. All you really need to know is that these are all little parts of the Linux operating system, which is probably the most important piece of open source software in the world. (The majority of the world's servers – including those Used by banks, hospitals, governments, and Fortune 500 companies – it runs on Linux, making its security an issue of global concern.)

As with other popular open source software, Linux is updated all the time, and most bugs are the result of innocent mistakes. But when Freund looked more closely at the xz Utils source code, he saw evidence that it had been intentionally manipulated.

In particular, it was discovered that someone had planted malicious code in the latest versions of xz Utils. The code, known as a backdoor, would allow its creator to hijack a user's SSH connection and secretly run its code on that user's device.


At first, Freund doubted his findings. Have you really discovered a backdoor in one of the most scrutinized open source software in the world?

“It felt surreal,” he said. “There were moments where I felt like I had just had a bad night's sleep and had some fever dreams.”

But his research keeps turning up new clues, and last week, Freund sent his findings to a group of open source software developers. The news set the technology world on fire. Within hours, a fix was developed and some researchers were crediting it with preventing a potentially historic cyberattack.

“This would have been the most widespread and effective backdoor ever in any software product,” said Alex Stamos, chief trust officer at SentinelOne, a cybersecurity research firm.

Had it not been discovered, the backdoor “would have given its creators a master key to any of the hundreds of millions of computers around the world running SSH,” Stamos said. This key could have allowed them to steal private information, plant crippling malware, or cause major infrastructure disruptions — all without being caught.

Satya Nadella, CEO of Microsoft, praised

Microsoft CEO Satya Nadella praised Freund's “curiosity and ingenuity.”credit: AP

No one knows who planted the back door. But the plot appears to have been so complex that some researchers believe that only a country with formidable hacking skills, such as Russia or China, could have attempted it.

According to some researchers who reviewed the evidence, the attacker appears to have used a pseudonym, “Jia Tan,” to suggest changes to xz Utils dating back to 2022. (Many open source software projects are controlled via a hierarchy; developers suggest changes to software code , then more experienced developers known as “moderators” have to review and approve the changes.)

The attacker, who uses the name Jia Tan, appears to have spent several years slowly gaining the trust of other xz Utils developers and gaining more control over the project, eventually becoming a moderator, and finally inserting the code using a hidden backdoor earlier this year. (A new hacked version of the code has been released, but is not yet in widespread use.)


Freund declined to guess who might be behind the attack. But he said the person was sophisticated enough to try to cover their tracks, including by adding code that made the backdoor harder to detect.

“It was very ambiguous,” he added. “They clearly put a lot of effort into trying to hide what they were doing.”

Since his findings became public, Freund said, he has been helping teams trying to reverse engineer the attack and identify the culprit. But he was too busy to rest on his laurels. The next version of PostgreSQL, the database software he works on, will be released later this year, and he's trying to make some last-minute changes before the deadline.



Leave a comment