Select Page
The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind

The Mystery of ‘Jia Tan,’ the XZ Backdoor Mastermind

Ultimately, Scott argues that those three years of code changes and polite emails were likely not spent sabotaging multiple software projects, but rather building up a history of credibility in preparation for the sabotage of XZ Utils specifically—and potentially other projects in the future. “He just never got to that step because we got lucky and found his stuff,” says Scott. “So that’s burned now, and he’s gonna have to go back to square one.”

Technical Ticks and Time Zones

Despite Jia Tan’s persona as a single individual, their yearslong preparation is a hallmark of a well-organized state-sponsored hacker group, argues Raiu, the former Kaspersky lead researcher. So too are the technical hallmarks of the XZ Utils malicious code that Jia Tan added. Raiu notes that, at a glance, the code truly looks like a compression tool. “It’s written in a very subversive manner,” he says. It’s also a “passive” backdoor, Raiu says, so it wouldn’t reach out to a command-and-control server that might help identify the backdoor’s operator. Instead, it waits for the operator to connect to the target machine via SSH and authenticate with a private key—one generated with a particularly strong cryptographic function known as ED448.

The backdoor’s careful design could be the work of US hackers, Raiu notes, but he suggests that’s unlikely, since the US wouldn’t typically sabotage open source projects—and if it did, the National Security Agency would probably use a quantum-resistant cryptographic function, which ED448 is not. That leaves non-US groups with a history of supply chain attacks, Raiu suggests, like China’s APT41, North Korea’s Lazarus Group, and Russia’s APT29.

At a glance, Jia Tan certainly looks East Asian—or is meant to. The time zone of Jia Tan’s commits are UTC+8: That’s China’s time zone, and only an hour off from North Korea’s. However, an analysis by two researchers, Rhea Karty and Simon Henniger, suggests that Jia Tan may have simply changed the time zone of their computer to UTC+8 before every commit. In fact, several commits were made with a computer set to an Eastern European time zone instead, perhaps when Jia Tan forgot to make the change.

“Another indication that they are not from China is the fact that they worked on notable Chinese holidays,” say Karty and Henniger, students at Dartmouth College and the Technical University of Munich, respectively. Boehs, the developer, adds that much of the work starts at 9 am and ends at 5 pm for Eastern European time zones. “The time range of commits suggests this was not some project that they did outside of work,” Boehs says.

All of those clues lead back to Russia, and specifically Russia’s APT29 hacking group, argues Dave Aitel, a former NSA hacker and founder of the cybersecurity firm Immunity. Aitel points out that APT29—widely believed to work for Russia’s foreign intelligence agency, known as the SVR—has a reputation for technical care of a kind that few other hacker groups show. APT29 also carried out the Solar Winds compromise, perhaps the most deftly coordinated and effective software supply chain attack in history. That operation matches the style of the XZ Utils backdoor far more than the cruder supply chain attacks of APT41 or Lazarus, by comparison.

“It could very well be someone else,” says Aitel. “But I mean, if you’re looking for the most sophisticated supply chain attacks on the planet, that’s going to be our dear friends at the SVR.”

Security researchers agree, at least, that it’s unlikely that Jia Tan is a real person, or even one person working alone. Instead, it seems clear that the persona was the online embodiment of a new tactic from a new, well-organized organization—a tactic that nearly worked. That means we should expect to see Jia Tan return by other names: seemingly polite and enthusiastic contributors to open source projects, hiding a government’s secret intentions in their code commits.

Big-Name Targets Push Midnight Blizzard Hacking Spree Back Into the Limelight

Big-Name Targets Push Midnight Blizzard Hacking Spree Back Into the Limelight

Microsoft and Hewlett-Packard Enterprise (HPE) both recently disclosed that they suffered corporate email breaches at the hands of Russia’s “Midnight Blizzard” hackers.

The group, which is tied to the Kremlin’s SVR foreign intelligence, is specifically linked to SVR’s APT 29 Cozy Bear, the gang that meddled in the United States 2016 presidential election, has conducted aggressive government and corporate espionage around the world for years, and was behind the infamous 2021 SolarWinds supply chain attack. While both HP’s and Microsoft’s breaches came to light within days of each other, the situation mainly illustrates the ongoing reality of Midnight Blizzard’s international espionage activities and the lengths it will go to to find weaknesses in organizations’ digital defenses.

“We shouldn’t be surprised that Russian intelligence-backed threat actors, and SVR in particular, are targeting tech companies like Microsoft and HPE. With organizations that size, it would be a much bigger surprise to learn they weren’t,” says Jake Williams, a former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security.

HP Enterprise said in a US Securities and Exchange Commission submission posted on Wednesday that Midnight Blizzard gained access to its “cloud-based email environment” last year. The company first learned about the situation on December 12, 2023, but said that the attack began in May 2023. Hackers “accessed and exfiltrated data … from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” the company wrote in the SEC filing. HP Enterprise said the breach likely came about as the result of another incident, discovered in June 2023, in which Midnight Blizzard also accessed and exfiltrated company “SharePoint” files beginning as early as May 2023. SharePoint is a much-targeted cloud collaboration platform made by Microsoft that integrates with Microsoft 365.

“The accessed data is limited to information contained in the HPE users’ email boxes,” HP Enterprise spokesperson Adam Bauer told WIRED in a statement. “We continue to investigate and analyze these mailboxes to identify information that could have been accessed and will make appropriate notifications as required.”

Meanwhile, Microsoft said on Friday that it detected a system intrusion on January 12 tied to a November 2023 breach. The attackers targeted and compromised some historic Microsoft system test accounts that then allowed them to access “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” From there the group was able to exfiltrate “some emails and attached documents.” Microsoft noted in its disclosure that the attackers appeared to be seeking information about Microsoft’s investigations and knowledge of Midnight Blizzard itself.

“The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems,” the company wrote in its disclosure. “This attack does highlight the continued risk posed to all organizations from well-resourced nation-state threat actors like Midnight Blizzard.”

A Bloody Pig Mask Is Just Part of a Wild New Criminal Charge Against eBay

A Bloody Pig Mask Is Just Part of a Wild New Criminal Charge Against eBay

“EBay’s actions against us had a damaging and permanent impact on us—emotionally, psychologically, physically, reputationally, and financially—and we strongly pushed federal prosecutors for further indictments to deter corporate executives and board members from creating a culture where stalking and harassment is tolerated or encouraged,” Ina and David Steiner say in a victim statement published online. The couple also highlighted that EcommerceBytes has filed a civil lawsuit against eBay and its former employees that is set to be heard in 2025.

China’s Judicial Bureau has claimed a privately run research institution, the Beijing Wangshendongjian Judicial Appraisal Institute, has created a way to identify people using Apple’s AirDrop tool, including determining phone numbers, email addresses, and device names. Police have been able to identify suspects using the technique, according to reports and a post from the Institute. Apple’s wireless AirDrop communication and file-sharing method has previously been used in China to protest the leadership of President Xi Jinping, and Apple introduced a 10-minute time limit sharing period in China, before later rolling it out globally.

In a blog post analyzing the incident, Johns Hopkins University cryptographer Matthew Green says the attack was initially discovered by researchers at Germany’s Technical University of Darmstadt in 2019. In short, Green says, Apple doesn’t use a secure private set intersection that can help mask people’s identity when communicating with other phones using AirDrop. It’s unclear if Apple plans to make any changes to stop AirDrop being abused in the future.

It’s been more than 15 years since the Stuxnet malware was smuggled into Iran’s Natanz uranium enrichment plant and destroyed hundreds of centrifuges. Despite the incident happening over a decade ago, there are still plenty of details that remain unknown about the attack, which is believed to have been coordinated by the US and Israel. That includes who may have delivered the Stuxnet virus to the nuclear facility—a USB thumb drive was used to install the worm into the nuclear plant’s air-gapped networks. In 2019, it was reported that Dutch intelligence services had recruited an insider to help with the attack. This week, the Dutch publication Volkskrant claimed to identify the mole as Erik van Sabben. According to the report, van Sabben was recruited by Dutch intelligence service AIVD in 2005, and politicians in the Netherlands did not know about the operation. Van Sabben is said to have left Iran shortly after the sabotage began. However, he died two weeks later, on January 16, 2009, after being involved in a motorcycle accident in Dubai.

The rapid advances in generative AI systems, which use machine learning to create text and produce images, has seen companies scrambling to incorporate chatbots or similar technologies into their products. Despite the progress, traditional cybersecurity practices of locking down systems from unauthorized access and making sure apps can’t access too much data still apply. This week, 404 Media reported that Chattr, a company creating an “AI digital assistant” to help with hiring, exposed data through an incorrect Firebase configuration and also revealed how its systems work. This includes the AI appearing to have the ability to “accept or deny job applicants.” The pseudonymous security researcher behind the finding, MrBruh, shared a video with 404 Media showing the chatbot appearing to automatically make decisions about job applications. Chattr secured the exposed systems after being contacted by the researchers but did not comment on the incident.

The SEC’s Official X Account Was ‘Compromised’ and Used to Post Fake Bitcoin News

The SEC’s Official X Account Was ‘Compromised’ and Used to Post Fake Bitcoin News

The official X account of the United States Securities and Exchange Commission was “compromised” this afternoon, resulting in the publication of an “unauthorized” post, according to SEC chair Gary Gensler. The account, @SECGov, also said the account had been compromised.

“The SEC has determined that there was unauthorized access to and activity on the @SECGov account by an unknown party for a brief period of time shortly after 4 pm ET,” an SEC spokesperson said in a statement to WIRED. “That unauthorized access has been terminated. The SEC will work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct.”

X did not yet respond to WIRED’s request for comment.

The @SECGov account published a post this afternoon regarding the regulatory status of Bitcoin ETFs, a financial product that would allow people to invest in bitcoin like standard stocks. The post, which also included an image with an apparently fake quote from Gensler, has since been deleted.

The fake post appeared to lead to a brief spike in Bitcoin’s value of around 2.5 percent, to nearly $47,870, before crashing around 3.2 percent from its original price.

Following news of the SEC’s compromised account, US senator Bill Hagerty said in a post on X that Congress should investigate the incident.

“Just like the SEC would demand accountability from a public company if they made such a colossal market-moving mistake, Congress needs answers on what just happened,” Hagerty, a Tennessee Republican, wrote. “This is unacceptable.”

This is at least the second high-profile compromise of an X account in recent days. Mandiant, a leading cybersecurity firm now owned by Google, had its X account hacked on January 3. A scammer used their access to post a malicious link in an attempt to steal cryptocurrency from victims.

X owner Elon Musk’s aggressive slashing of the company’s staff has, over the past year, raised fears that the cuts would leave X (formerly Twitter) unable to secure a platform depended on by users that include high-profile figures and government agencies worldwide. One former Twitter information security official sued Musk and others for alleged wrongful termination after he was fired for, he claims in the lawsuit, arguing that the staff cuts would interfere with X’s ability to comply with a 2011 consent decree with the US Federal Trade Commission to protect users’ personal information.

23andMe Blames Users for Recent Data Breach as It’s Hit With Dozens of Lawsuits

23andMe Blames Users for Recent Data Breach as It’s Hit With Dozens of Lawsuits

It’s been nearly two years since Russia’s invasion of Ukraine, and as the grim milestone looms and winter drags on, the two nations are locked in a grueling standoff. In order to “break military parity” with Russia, Ukraine’s top general says that Kyiv needs an inspired military innovation that equals the magnitude of inventing gunpowder to decide the conflict in the process of advancing modern warfare.

If you made some New Year’s resolutions related to digital security (it’s not too late!), check out our rundown of the most significant software updates to install right now, including fixes from Google for nearly 100 Android bugs. It’s close to impossible to be completely anonymous online, but there are steps you can take to dramatically enhance your digital privacy. And if you’ve been considering turning on Apple’s extra-secure Lockdown Mode, it’s not as hard to enable or as onerous to use as you might think.

If you’re just not quite ready to say goodbye to 2023, take a look back at WIRED’s highlights (or lowlights) of the most dangerous people on the internet last year and the worst hacks that upended digital security.

But wait, there’s more! Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

23andMe said at the beginning of October that attackers had infiltrated some of its users’ accounts and abused this access to scrape personal data from a larger subset of users through the company’s opt-in social sharing service known as DNA Relatives. By December, the company disclosed that the number of compromised accounts was roughly 14,000 and admitted that personal data from 6.9 million DNA Relatives users had been impacted. Now, facing more than 30 lawsuits over the breach—even after tweaking its terms of service to make legal claims against the company more difficult—the company said in a letter to some individuals that “users negligently recycled and failed to update their passwords following … past security incidents, which are unrelated to 23andMe.” This references 23andMe’s long-standing assessment that attackers compromised the 14,000 user accounts through “credential stuffing,” the process of accessing accounts using usernames and passwords compromised in other data breaches from other services that people have reused on multiple digital accounts. “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the company wrote in the letter.

“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing victims who received the letter, told TechCrunch. “23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing—especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform.”

Russia’s war—and cyberwar—in Ukraine has for years produced novel hybrids of hacking and physical attacks. Here’s another: Ukrainian officials this week said that they had blocked multiple Ukrainian civilians’ security cameras that had been hacked by the Russian military and used to target recent missile strikes on the capital of Kyiv. Ukraine’s SBU security service says the Russian hackers went so far as to redirect the cameras and stream their footage to YouTube. According to the SBU, that footage then likely aided Russia’s targeting in its bombardment on Tuesday of Kyiv, as well as the Eastern Ukrainian city of Kharkiv, with more than a hundred drones and missiles that killed five Ukrainians and injured well over a hundred. In total, since the start of Russia’s full-scale invasion of Ukraine in February 2022, the SBU says it’s blocked about 10,000 security cameras to prevent them from being hijacked by Russian forces.

Last month, a Russian cyberattack hit the telecom firm Kyivstar, crippling phone service for millions of people across Ukraine and silencing air raid warnings amid missile strikes in one of the most impactful hacking incidents since Russia’s full-scale invasion began. Now, Illia Vitiuk, the cyber chief of Ukraine’s SBU security service, tells Reuters that the hackers accessed Kyivstar’s network as early as March 2023 and laid in wait before they “completely destroyed the core” of the company in December, wiping thousands of its machines. Vitiuk added that the SBU believes the attack was carried out by Russia’s notorious Sandworm hacking group, responsible for most of the high-impact cyberattacks against Ukraine over the last decade, including the NotPetya worm that spread from Ukraine to the rest of the world to cause $10 billion in total damage. In fact, Vitiuk claims that Sandworm attempted to penetrate a Ukrainian telecom a year earlier but the attack was detected and foiled.

This week in creepy headlines: 404 Media’s Joseph Cox discovered that a Google contractor, Telus, has offered parents $50 to upload videos of their children’s faces, apparently for use as machine learning training data. According to a description of the project Telus posted online, the data collected from the videos would include eyelid shape and skin tone. In a statement to 404, Google said that the videos would be used in the company’s experiments in using video clips as age verification and that the videos would not be collected or stored by Telus but rather by Google—which doesn’t quite reduce the creep factor. “As part of our commitment to delivering age-appropriate experiences and to comply with laws and regulations around the world, we’re exploring ways to help our users verify their age,” Google told 404 in a statement. The experiment represents a slightly unnerving example of how companies like Google may not simply harvest data online to hone AI but may, in some cases, even directly pay users—or their parents—for it.

A decade ago, Wickr was on the short list of trusted software for secure communications. The app’s end-to-end encryption, simple interface, and self-destructive messages made it a go-to for hackers, journalists, drug dealers—and, unfortunately, traders in child sexual abuse materials—seeking surveillance-resistant conversations. But after Amazon acquired Wickr in 2021, it announced in early 2023 that it would be shutting down the service at the end of the year, and it appears to have held to that deadline. Luckily for privacy advocates, end-to-end encryption options have grown over the past decade, from iMessage and WhatsApp to Signal.