Enlarge image

Data center: Many Linux servers would have been directly affected by the attack

Photo: Matthias Balk/dpa

An apparently long-planned attack on important parts of the Internet infrastructure was most likely prevented by the attention of 38-year-old German-born developer Andres Freund. Security experts around the world are now analyzing the perpetrators' actions and drawing conclusions for the future.

The previously unknown attackers had secretly provided the xz compression software with a backdoor that would have made it possible to compromise millions of systems under certain conditions. The program comes pre-installed with many Linux variants and is therefore widely used on servers, development computers and even IoT devices. "It's one of those moments when we wipe our brow and say: We were really lucky," explains Satnam Narang, a security researcher at Tenable who has studied the malicious code extensively.

Nevertheless, the Federal Office for Information Security (BSI) is currently advising system administrators to check whether a manipulated xz version is installed on their Linux systems - which is certainly possible in some cases. The Bonn authority classified the IT threat situation as “business-critical”.

Open source software in focus

The case has therefore once again drawn attention to the security of open source software. These are open-source programs, often developed by volunteers, which form the basis of the Internet's infrastructure due to their transparency and flexibility. Many such projects depend on a small circle of unpaid programmers.

For a long time, the xz project was the responsibility of a single developer. However, Lasse Collin has had problems keeping up with the diverse demands in recent years. In a message posted to a mailing list in June 2022, Collin explained that he was struggling with "long-term mental health issues." At the same time, he announced that he was working with a new developer named Jia Tan, who would “perhaps take on a larger role” in the future. Update logs from the open source software website Github showed Tan's role expanding rapidly. The seemingly unselfish helper finally smuggled an almost invisible back door into xz.

It is still unclear who is behind the pseudonym. Tan did not respond to messages sent to his Gmail account. However, there is much to suggest that it was an attacker or an entire group with good training and lots of resources. “This is not kindergarten knowledge,” said Omkhar Arasaratnam, executive director of the Open Source Security Foundation. The malicious code and the method of spreading it are “incredibly sophisticated.”

The Cybersecurity and Infrastructure Security Agency (CISA), the US counterpart to the BSI, urges companies to invest more resources in the developers of such software. The tech industry must not only check open source software before using it in its own operations, but also "contribute to creating a sustainable open source ecosystem from which we all benefit," said CISA advisor Jack Cable Reuters news agency.

An example of such support is Andre's friend, who was working on another open source database when he discovered the critical backdoor. The German-born developer lives in the tech metropolis of San Francisco and is paid by Microsoft. The programmer has now received great praise from his top boss: Microsoft CEO Satya Nadella praised the programmer for his curiosity and skills in a post on «.

Freund himself wrote on Without having previously supported the project with many submissions.«

tmk/Reuters/dpa