The cyber threat landscape in 2023 showed that criminals are relentlessly innovative. Criminals evolved and this demanded constant vigilance and adaptation by cyber security practitioners.

Throughout 2023 and 2022, ITNOW listed and analysed the years’ biggest cyber attacks:

Our aim, as ever, was to uncover who got hacked, to understand how and to share any lessons that could be learned.

During 2024, we plan to do the same — so bookmark this page and please keep checking in.

Cybersecurity in 2024

When the World Economic Forum publishes a list of ‘trends’ in cyber threats it is a sure sign that the impact of attacks and breaches on the overall economy is significant. At the beginning of each calendar year it is traditional to reflect on, and tally-up from the previous year, emerging trends in cyber attacks. It is good to understand the Tools, Techniques and Procedures (TTP) of the adversaries we face. It is also good to spot any new methods or any shift in targets, the better to be prepared for the coming year.

To help with this many top security companies, with customers across the globe, publish their own reports on such trends in attack modes and targets. One report that is always eagerly anticipated is from IBM. Their X-Force Threat Intelligence Index 2024 identifies trends in all these vital areas, based on data from 2023.

Picking out some highlights, as the report runs to a hefty 64 pages, the methods for Initial Access are shifting. The use of legitimate credentials is now top of the list, with phishing knocked off the top spot from last year into second. Third place goes to internet facing applications with exploitable weaknesses. This trend is a sign that detection and prevention methods within the security framework are having some success. Breaking in to most corporate networks is very difficult without some form of legitimate ‘foothold’. Another observation from IBM’s team is a possible shift in emphasis for some ransomware groups: rather than encrypting and ‘ransoming’ a companies data they prefer to simply steal it. There has been a 266% increase in the use of infostealer software such as Rhadamanthys, LummaC2 and StrelaStealer.

Two other significant takeaways from the report are that 84% of attacks on critical infrastructure (energy, telecoms, water etc.) gained initial access through preventable weaknesses and that attacks in Europe increased by 31% year on year. Regarding the critical infrastructure attacks the report concludes that better asset and patch management, along with credential hardening and using the principle of least privilege, could have prevented these attacks.

There was at least one positive in the report. They concluded that ransomware gangs were taking longer to elevate privileges within Active Directory controlled domains than previously. This is the equivalent of ‘shows some improvement, could do better’ on your school homework. As a final ‘food for thought’ from this report comes the news that Europe accounted for 31% of IBM’s X-Force team’s incidents that they responded to and within that the UK was the primary target.

Transport for London

On the 1st of September, Transport for London (TfL) was hit with a cyber incident and found itself unable to process Oyster cards or contactless payments. Other administrative activities related to Oyster cards, like new registrations and refunds for incomplete journeys, were also impossible. Later, it was confirmed that personal data for at least 5,000 customers had been exposed. To contain the initial problem, TfL engineers shut down other system features like jam cams, dial-a-ride bookings and concession card apps. TfL staff were also been unable to use some internal systems, and additional ID checks were employed.

The National Crime Agency (NCA) headed the investigation, and on September 5th, a 17-year-old male was arrested in Walsall on suspicion of Computer Misuse Act offences. Attacks like this one, deemed against the country’s Critical National Infrastructure (CNI), are treated with the highest priority.

The attack has been characterised as ‘sophisticated’ and ‘aggressive’, but as with all such incidents, it requires calm analysis to determine what happened correctly and its level of ‘sophistication’. It would seem that it was not nearly as dramatic as the attack depicted in the recent BBC thriller Nightsleeper, which featured a cyber attack on a train from Scotland to London. In the meantime, TfL employees must present themselves at Palestra House, TfL’s Southwark headquarters, to have their passwords changed and digital IDs recertified.

Harvey Nichols attack

In late September, the upmarket department store Harvey Nichols wrote to affected customers, stating that it had been the victim of a breach and that personal data had been exposed. The company were at pains to stress that it believed that the stolen data was ‘non-sensitive’. However, any data related to an individual could be used as the basis for future phishing attacks or fed into one of the many dark web aggregator sites that gradually build a complete dataset for individuals who have stolen information from multiple attacks.

In the meantime, it is worth reminding ourselves that whenever a situation occurs, there is further danger from opportunistic attacks from parties pretending to be the breached company trying to put things right. Harvey Nichols also took the opportunity to apologise to their customers when alerting them of the issue, where many victims use their external communications to try to distance themselves from culpability or play down the gravity of the problem. However, despite their willingness to communicate well with their customers, Harvey Nichols remained tight-lipped about any technical details of the breach.

Ukraine war update

As discussed in a previous article, the Russia/Ukraine conflict began with probing cyber attacks from Russia. Both sides have been deploying cyber offensives since the war has progressed and escalated. In the beginning, much of the Ukrainian effort went towards disrupting Russian sites and communications in any way possible. Russia had already tried to attack Ukraine’s Critical National Infrastructure (CNI), including power grids and telecommunications hubs.

More recent attacks have been much more focused. On October 7th, Ukrainians attacked the Russian state TV company VGTRK. Reports from Russia indicated that hackers had erased everything from the company’s servers, including backups. The Russian state played down such reports and said that all was well. Coincidentally, this attack was performed on Vladimir Putin’s birthday and is believed to have been executed by the Ukrainian group Sudo rm-rf.

Ukraine’s State Service of Special Communications and Information Protection (SSSCIP) reported an increase in attacks targeting the security, defence and energy sectors. A total of 1,739 incidents were registered in the first half of 2024, up 19% from 1,463 in the preceding six months.

Of those recorded attacks, 48 were deemed either critical or high severity. However, there has been a continuing trend on both sides towards securing covert footholds to attempt to extract information.

However, in the fog of cyberwar, it is not just the two main protagonists who have been busy. Some attacks have been attributed to China-linked cyber espionage groups, one of which, UAC-0027, was observed dropping DirtyMoe malware to attempt crypto-jacking and DDoS attacks.

Gamaredon is a Russian hacking group logged as Aqua Blizzard, Winterflounder, UAC-0010, Shuckworm, and many others. Throughout the conflict, as other actors have come and gone, Gamaredon has remained consistently active and methodically attacking Ukrainian targets since before the conflict erupted. In a profile that is becoming more common, Gamaredon does not deploy new tools or revolutionary methods. Instead, they select known techniques and use them relentlessly and effectively. They use the information stealer malware PteroBleed and leverage third-party services like Telegram and Cloudflare. They show that an aggressive approach with persistence can pose a significant threat.

Big and trusted sites

I’m sure most readers of security blogs like this will be familiar with the term ‘living off the land’. It refers to malware using existing, legitimate features and tools to perform malicious activities. A similar technique is now ‘living off trusted sites’ (LOTS). Microsoft has alerted customers to this growing trend, where phishing campaigns use trusted sites like OneDrive, Sharepoint and DropBox to add legitimacy to their email lures.

Attacks begin with the compromise of a user at a trusted vendor; malicious files and payloads are placed on the file hosting service. Phishing emails refer to malicious files which are password protected, meaning the attack is directly targeted. The victim will log in to the file-sharing system, but the harmful files will be in ‘view-only’ mode. This prevents the user from downloading the files and examining them. Access to the files is granted once the recipient logs in using their email address, and a one-time password is sent to their email address. This all sounds entirely legitimate, and once the target is successfully authorised, they are instructed to click one further link to view the contents. This is when the bad stuff happens. The link redirects to what is quaintly termed an Adversary-in-the-Middle (AitM) attack and a phishing page setup to steal passwords and any 2FA tokens.

Readers will be unsurprised to learn that AitM kits are for sale on the dark web; for example, Mamba 2FA is marketed as Phishing as a Service (PaaS) and often takes unwary victims to fake Microsoft 365 login pages. Retailing for around $250 a month, it handles two-step verification like one-time codes. Stolen credentials are then whisked off to the attacker via a Telegram bot.

Weaponising AI

Apart from helping teenagers with homework and lazy programmers to write their code, OpenAI is also open to abuse by cybercriminals. The company announced in early October that it had foiled more than 20 attempts to use the platform for nefarious purposes ranging from debugging malware to creating AI-generated profile pictures for fake accounts on X. Other attempts covered writing articles for websites and generating entire biographies for fake social media accounts.

So far, this kind of activity has proved difficult to police effectively by the social media companies themselves. However, its influence on politics should not be downplayed. With large portions of the population getting their news through social media, we might expect those media companies to do a better job.

OpenAI did highlight some of the actors they have discovered and, hopefully, foiled:

Cyber Av3ngers — affiliated with the Iranian Islamic Revolutionary Guard (IRGC) researching programmable logic controllers, which we all remember from Stuxnet.

SweetSpecter is a group, likely China-based, trying to use OpenAI for vulnerability research, scripting, and evasion. This group has also directly attacked OpenAI staff with phishing attacks, trying to insert the SugarGh0st RAT.

Storm-0817 — a threat actor from Iran using OpenAI to debug Android malware, developing tools to scrape Instagram profiles and translate LinkedIn profiles to Persian.

Beyond these, they noted several accounts using OpenAI to create political campaign websites, AI-generated political personas and email messages that precisely target based on campaign points, introducing the ability to distribute misinformation on an industrial scale.

Change Healthcare, BlackCat, $22M payout and no honour among thieves

In late February Nashville-based Change Healthcare, which reportedly handles more than 15 billion healthcare transactions annually, began having problems. Users reported connectivity issues and applications suddenly became unavailable. An immediate effect of this was difficulty in filling prescriptions and receiving payments from insurers for care. The US Military were using the service and were forced to shift to a manual method for filling prescriptions, worldwide.

Following investigation it emerged that Change Healthcare had been breached by the BlackCat/AlphV cybercrime group. This is the same group that were linked to the MGM Resorts hack from 2023. After initially filing what is known as an 8-K report to the US Securities and Exchange Commission attributing the breach to a ‘nation-state associated cyber security threat actor’ independent researchers have said that BlackCat/AlphV is a Russian-speaking group but have not linked it to any government.

Various observers of the changing cybersecurity landscape have noted that crime groups pay less attention to credit cards today since they can be easily rendered useless on discovery of the theft. Personal data and healthcare data in particular is a more valuable and less perishable commodity.

Change Healthcare had recently completed a $7.8 billion merger in 2022 with Optum, and incidents like this are fuelling anti-trust experts’ suspicions about centralising too many healthcare services.

However the temptations to centralise and consolidate are financially persuasive. United Health Group, which owns Change Healthcare, made more than $370 billion in revenue in 2023, with $22 billion of that as profit.

Clearly the cybercrime gang were fully aware of the size and wealth of the company. Although neither Change Healthcare nor their parent, United Healthcare, has admitted paying any ransom there is clear evidence on the Bitcoin blockchain that a payment of 350 Bitcoin (roughly equivalent to $22 million) was made. Recorded Future and TRM Labs, blockchain analysis firms, both confirmed that BlackCat/AlphV received this large payment.

In the cybercrime business model the organising group, in this case BlackCat/AlphV, will usually take around 20-30% of any ransom. The bulk will go to the ‘affiliates’ who actually perform the breach and ransomware activity.  In this case however there seems to have been a breach of contract. Two days after the $22 million transaction someone describing themselves as an affiliate of AlphV posted to RAMP, a cybercriminal dark web forum, that AlphV had cheated them out of their share of the ransom, even pointing to the $22 million transaction as proof.

In another unusual twist it appeared at first sight that the BlackCat/AlphV darknet site had been seized by law enforcement when a seizure page replaced the normal landing page. However the takedown notice appears to be a fake, further suggesting that this looks more like members of BlackCat/AlphV simply taking all the money, pretending, rather ineffectively, that they had been compromised. AlphV’s site was taken down for real in December 2023 and ironically the fake takedown page seems to have been copied from that actual takedown of their previous site.

There is no happy ending to this story as it stands. Since the affiliate hackers have been ripped off by their bosses they may now be tempted to go back to Change Healthcare and explain that they still have, reportedly, some 4TB of data and demand a similar ransom again.

We have mentioned before the difficulties in paying ransoms. We have seen that many insurance firms used to view paying the ransom as the most efficient means to restore their clients’ business. However as news of what is a very high payout spreads there are bound to be more gangs attempting to emulate AlphV.

When nation states attack

Much has been written recently about Chinese State hacking and election interference in the UK. The National Cyber Security Centre (NCSC) has officially blamed this interference on a group known as APT31. This refers back to incidents and compromises from 2021 and 2022 but readers of this blog and some of my other articles will recall that one of the hardest aspects of cybersecurity is identifying a culprit, or attribution. The very fact that NCSC (and by inference GCHQ) are confident enough to publish their thoughts is significant.

A brief piece of history might be appropriate here. In 2004 Kevin Mandia, a former USAF officer, started a company called Red Cliff. It was rebranded in 2006 as Mandiant. In 2013 Mandiant released a report documenting evidence of cyber attacks by the People’s Liberation Army (PLA), the military arm of the Chinese Communist Party. The report had been at least three years in the making but what set it apart from other documents about intrusions was that Mandiant’s team of hunters had traced the attackers to source. It had proof that the attacks originated from a particular unit of the PLA, Unit 61398. The Mandiant team had even uncovered individual members of the unit, their home addresses and contact details. Although China naturally denied everything, it was irrefutable. I was able to meet, and attend a presentation by, Kevin Mandia in San Francisco shortly after the report was published — and it was a revelation.

This paved the way for other security companies to refine and develop their attribution techniques. It also announced Mandiant as a leading security company and they are something of a ‘go to’ specialist to triage and investigate the biggest security issues, like the Solar Winds breach and the Colonial Pipeline breach. First acquired by FireEye in late 2013, for a reported $1 Billion, the company is now part of the Google empire. Bought for $5.4 Billion in 2022 it is part of the Google Cloud division although trading under its own name.

This aspect of cyber security is more difficult today as many attackers do not need to use specialised, custom code. Rather, they make use of existing and often old tools. This has a dual purpose as it saves development time while also complicating attribution.

As a direct result of the Chinese hacking within the UK, the Government has announced sanctions.

In the US meanwhile a group of Chinese nationals has been charged with various offences involving sending malicious emails — more than 10,000 — to US officials, the justice department and the FBI. These will be the foot soldiers, tasked with snagging the unwary with phishing emails to be handed on to military cyber attackers operating from within China.

Unsurprisingly, a spokesperson for the Chinese embassy in Washington DC said ‘without valid evidence, relevant countries jumped to an unwarranted conclusion’ and ‘made groundless accusations’.

In this case the phishing emails pretended to come from prominent media outlets or journalists. Rather than containing actual malware or directly linking to hostile sites, the emails simply carried hidden tracking links which enabled details of the location, IP address etcetera of any target that opened the email to be sent to the attacker’s server. Once more specific information was know on a target an individualised email could be developed with a greater chance of success. It also allowed focused reconnaissance enabling direct compromise of routers or devices at some target’s locations.

No longer headline news?

As someone that takes more than a passing interest in cyber security and the continued ingenuity of the attackers, I still read all reports keenly. While I am more interested in the techniques being used I still register the impact of these intrusions. I’m not sure this is generally the case. In an alarming report on the itgovernanceusa.com website at the beginning of May they reported:

‘5,136,645,282 known records breached so far in 2,098 publicly disclosed incidents’

A sister website for Europe, itgovernance.eu, reports similar statistics:

‘2,289,599,662 known records breached so far in 556 publicly disclosed incidents’

While the numbers appear quite a bit better for Europe the actual numbers are still depressingly high.

Let’s take a look at the two largest breaches, measured by amounts of data compromised, for each region.

Spy.pet Discord ‘breach?’ (USA)

Top of the charts in the US report is data from Discord. This is an interesting one since, technically, it could be argued that all Spy.pet do for their ‘service’ is harvest messages from Discord servers. In fact they have apparently harvested more than 4 billion messages, from 620 million users across 14,000 Discord servers. This trove of privacy-trampling data can be yours, for a fee.

The data is arranged in user profiles, which include all known aliases, connected accounts to other platforms such as Steam and GitHub, Discord servers joined, and public messages. If you wanted to  spy on a Discord user or users, Spy.pet lets you do that.

Such is the uncertainty over whether any crime has been committed that TheRegister asked Discord for comment and were told:

‘Discord is committed to protecting the privacy and data of our users. We are currently investigating this matter. If we determine that violations of our Terms of Service and Community Guidelines have occurred, we will take appropriate steps to enforce our policies. We cannot provide further comments as this is an ongoing investigation.’

Some unexpected customers for this nicely organised data are law enforcement and those wishing to train AIs. Much the same as the sage advice given to people following Oliver North’s embarrassment at having emails he thought he’d deleted resurface during the Iran-Contra trials, only write something in an email (or on Discord) that you don’t mind everyone reading.

Joking aside, privacy seems the next logical step for society to grapple with after the basics of online security are handled. With the explosion of computing power and the ability for almost anyone to harness software that was once the province of only sophisticated states, personal data in all forms must be protected as much as possible. This includes messages, online habits, locations and the wealth of meta-data involved in any/all online activity. Gradually the general public are realising not only how much data is recorded about them but the various ways in which this data may be mined for inferred details about their lives and habits that they would prefer remained private.

Zenlayer Cloud Server Provider: c.380 million records

The second largest, by amount of data, from the US so far this year is from a company called Zenlayer that provides cloud servers on demand. This was discovered by a security researcher, Jeremiah Fowler, who reported it to Zenlayer. Although they did not give him the courtesy of a reply he noted that they secured the database immediately.

Zenlayer, quoting from Fowler’s article:

‘Zenlayer is a global network services provider. It offers solutions such as SD-WAN (Software-Defined Wide Area Network), CDN (Content Delivery Network), and cloud services. According to their website, they provide services to well-known global brands in industries such as telecom, gaming, media and entertainment, cloud computing, and blockchain. Zenlayer is headquartered in Los Angeles and Shanghai, but it also has offices in Mumbai, Singapore, Hong Kong, Beijing, and Shenzhen. Additionally, Zenlayer claims to have 290+ data centers on six continents. According to a press release, Zenlayer ranked #3 on the Financial Time’s list of the Americas’ Fastest Growing Telecom Companies in 2021. Then, in 2023, the company was recognized as Amazon Web Service’s (AWS) partner of the year.’

The unsecured database was about 57GB in total. This data included a variety of the server logs alongside customer data. There were internal emails exposed, which would have value when organising targeted phishing attacks. Other miscellaneous data the researcher discovered were details of VPN configuration and other internal network details that would be valuable to a potential attacker.

Following this discovery the researcher looked further and found additional data exposed on a subdomain. This was accessible through a browser (from Fowler’s article):

‘It identified customers, disclosing their information in a URL format that could be viewed in any browser. The customer numbers run in chronological order and could be seen by simply changing the number such as customer/001, customer/002, customer/003, etc. This was not a database but a web base listing of Zenlayer’s users in a plain text html format. Each of these records indicated the customer’s email, phone number, ID number, billing method, name of the business, and number of employees.’

Again, unlike our normal items involving nefarious cybercrime groups making off with data to sell it via Dark Web marketplaces and hacker forums, this probably had a happy ending. Fowler reported the weakness he had found and the company closed the hole. But as always in situations like this it is impossible to know if Jeremiah was the first to spot this hole. Since much of this data could feed into more targeted attacks against entities whose data was exposed, it may take some time to determine any real world fallout.

Now let’s turn our attention to Europe.

Russian research centre Planeta: Ukraine says 2 PB of data wiped

The ongoing war in Ukraine continues to provide a glimpse of what future conflicts may look like, encompassing not only war in the air, on the ground and at sea, but also cyberwarfare. One of the latest incidents to be made public is a claim by Ukraine to have successfully breached a Russian research centre and wiped more that 2 petabytes of data.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

The Main Directorate of Intelligence of the Ministry of Defence of Ukraine, HUR, has announced the success in breaching Russia’s Far Eastern Research Center for Space Hydrometeorology, or Planeta. Understanding that news of state-sponsored attacks against combatants during wartime must be treated with a certain degree of caution, the cyber attack on Planeta is said to have destroyed 280 servers at a cost of ‘at least $10 million’. The research centre is known to  receive and processes satellite data on behalf of more than 50 Russian state entities, including the Ministry of War.

Perhaps for obvious reasons there are no details of how the attack was carried out; this kind of detail will likely emerge later, but the Ukrainian report also claimed that recovery of the lost data would not be possible.

Once again this is not a ‘typical’ example of a cyber attack or data breach. Motives are different and the target was different. It is also possible that the techniques used were radically different too, since Ukraine is being assisted by friendly states such as the US and the UK in its cyberwarfare activities.

IPL Consulting: >60TB of data allegedly destroyed in Ukrainian cyber attack

The second largest breach globally, by amount of data affected, in the first half of 2024 is also related to the Ukraine war. It was announced via Telegram:

‘The Main Directorate of Intelligence of the Ministry of Defense of Ukraine informs about another successful cyber attack on Russia — the entire IT infrastructure of the IPL Consulting company, which specialized in the implementation of information systems in Russian industry, was destroyed. The specified company presented itself as one of the most modern Russian enterprises, which provided assistance in the implementation of information systems to institutions engaged in design, production of automotive and aviation components, heavy engineering, production of equipment and devices, in particular in the interests of the Russian defense-industrial complex.

The devastating attack against IPL Consulting was carried out by GUR specialists, who penetrated the company's internal network and destroyed its entire IT infrastructure of more than 60 terabytes, dozens of servers and databases. The cost of the digital array of data lost by Russia is being calculated. In the conditions of ongoing sanctions pressure against Russia, the damage inflicted on the enemy is extremely painful. In addition, dozens of Russian companies that work for the "defense" of the aggressor state will suffer.’

This attack seems to have been confirmed by various ‘intelligence sources’ although the media seems to have relied on reports from Ukraine’s Main Intelligence Directorate (HUR).

This is another incident of which we may never know the full details, but reminds us again of the new world in which we live.

Size isn’t everything

So the four largest incidents, by amount of data involved, in the first 6 months of 2024 on two continents, have turned out to not involve cybercrime. Admittedly the Discord/Spy.Pet incident was motivated by profit, but it may not have actually broken any laws.

When one gets into the body of these catalogues of security failings however, there are more familiar scenarios. For example between early February and early March the French national unemployment agency, France Travail, was attacked. Data on some 43 million people was obtained, which included details like:

  • Full name
  • Date and place of birth
  • Social security number (NIR)
  • France Travail identifier
  • Email address
  • Postal address
  • Telephone number

France Travail did note that no passwords or banking details were exposed but since most similar data breaches find their way to dark web sites they are then amalgamated with data from other sources like a jigsaw.

French newspaper Le Figaro reported that attackers posed as Cap Emploi advisors to break in. Cap Emploi is a government agency supporting people with disabilities that works together with France Travail.

According to a prominent ethical hacker, known as SaxX, the four most likely attack vectors were:

  • Data scraping from an insider
  • A vulnerability exploit
  • An unfortunate database export to an exposed or insecure cloud service
  • A third-party compromise

Precise details of the methods are still not known. This is not the first problem with France Travail (known previously as Pole Emploi until late 2023) as they were a victim of the MOVEit supply chain attack last year.

CCP gets Apple to modify AirDrop

Now for a security item that is not a major hack but is of interest nonetheless. A Chinese state-backed research institute claimed to have hacked the Apple AirDrop feature to enable identification of the phone number and email address of senders. This is significant as AirDrop has been used regularly to coordinate protests in China. AirDrop can be used to send something to ‘everyone’ in range. Along with whatever is being deliberately sent by someone there are hashes of the sender’s phone number and email address that are sent along with it. Since telephone numbers have limited variability, are the same length and are made up of only numbers, it is feasible to pre-hash all possible numbers and then perform a simple lookup when decoding a hash of something you want to trace the source of.

To do this it would be necessary to have physical access to the device, so for the case of China’s authorities wishing to clamp down on organised protesters it presents a problem. The Chinese Communist Party (CCP) had already approached Apple about this problem. We can safely assume that as a direct result of this Apple modified AirDrop so that the ‘everybody’ option could only be activated for 10 minutes at a time. We may also reasonably assume that this Chinese research is aimed at discouraging protesters from using the AirDrop method in case they can be traced by the authorities.

FBI takes down Russian botnet

A botnet being run by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) has been taken down by the FBI in an Operation called Dying Ember. It is thought that the original botnet was created by a cybercrime gang and then obtained by the GRU. It made use of the Moobot malware, installed on around 1,000 Ubiquiti routers. It is believed that the original infections were possible through use of default passwords on the routers. Previously the Moobot malware had been used for Distributed Denial of Service (DDoS) attacks but in this case a variety of exploit packages and scripts were found. This appears to have been a more sophisticated, planned use for these exploited routers, likely state-sponsored and targeting specific companies of interest.

This is the second significant botnet taken down this year after the DOJ closed down the KV botnet, set up by China’s Volt Typhoon group. This botnet was attempting to target Critical National Infrastructure (CNI) — sites like energy systems, satellite and communications installations. Sophisticated malware has been found, like Pipedream and Incontroller, which is specifically crafted to attack infrastructure targets.

In the case of Pipedream it is believed that the package was developed specifically for use in an armed conflict scenario. It is an attack framework that can be adapted to attack any industrial control system and is not limited by manufacturer. Fortunately to date it has never been used in anger.

For the want of a nail…

Possibly the most significant security issue this year so far, which was thankfully caught before it could fulfil its potential, was the so-called XZ Backdoor. Linux is fundamentally an open source operating system and is developed and maintained by a diverse array of programmers across the world. Each technical area will have a lead maintainer and sometimes several others that contribute code and expertise to that area. Some areas are smaller than others and in the case of the XZ compression code it was maintained by a single developer, Lasse Collin, based in Finland.

What followed was a very patient and sinister social engineering attack on an unsuspecting Lasse Collin. First a mysterious new user appeared on GitHub called Jia Tan. This user began to contribute patches and small coding updates to various open source projects. This gradually built a reputation amongst the community of open source developers. Then he contributed what appeared to be a quality of life improvement to the XZ Utils software. The maintainer saw nothing amiss but then a new person ‘Jigar Kumar’ posted a message welcoming the proposed change but lamenting that the release schedule was so slow that it would be too long until it was available.

This seems now to have been a complete setup to portray Tan as a trustworthy individual. The idea was to have Lasse take Tan on as a co-maintainer for XZ Utils. Another fake account soon joined in the dialogue about the slow roll-out schedule of XZ, ‘Dennis Ens’. Over a period of time these fake accounts kept hassling Lasse until he admitted that he’d been having problems, that this was done for no remuneration and that perhaps Jia Tan might be able to take on the maintainer role. Having begun their social engineering in 2021, in 2022 Jia Tan was finally granted commit access to the XZ Utils repository on GitHub. However, since this was a patient attack no bad code was injected into the repo until a year later.

The reason that a vulnerability in this obscure compression code might be significant is that it is used by OpenSSH, the open source version of the popular command line, remote access software popular with system admins. This means malicious code in XZ could allow access through OpenSSH to a system and with root privileges. It was version 5.6.0 of XZ Utils, published on the 24th February that contained the malicious code.

Gradually this polluted version was picked up in the development releases of some major Linux distributions. These development, or alpha/beta, releases are generally only used by other developers and not deployed to production systems. One such developer, Andres Freund, working for Microsoft, was investigating issues on a new Debian system where SSH logins were taking much longer than usual and causing errors in other monitoring software. He discovered that SSH logins were taking half a second longer in this new version. This caused him to investigate the build of this new version and he discovered that as part of the build script the malicious binaries were added from a ‘test’ directory in the repository. This means they were not part of the source in the repo and users would not have expected additional code to be added at build time. Usually additional files used for builds would be confined to configuration files.

Andres posted about what he had found and caused a major storm in the online world. Anyone that had actually rolled out the infected version of XZ Utils quickly rolled back to the previous version and focus switched to Jia Tan and any code he had ever written. Whether there actually is a someone called Jia Tan is still an open question and one that will be investigated much further, you can be sure of that.

This is an example of a supply-chain attack as it is not directed at a single target but rather made part of software that is used widely and inserted at source. The technique and the patience shown by the attacker(s) suggests a nation-state actor, but this is unconfirmed so far. It highlights the levels of vigilance required to properly protect systems which we rely on. It also highlights the subtlety available to determined attackers, making use of technical vulnerabilities along with careful social engineering and the selection of a potentially vulnerable individual.  In case of doubt this incident garnered CVE-2024-3094 and a criticality score of 10 (out of 10). Had it gone unnoticed it would have allowed any bad actor with the appropriate key to inject malicious code, executing as root, into any online Linux host.