Micode
MicodeNov 5
Tech

L'attaque informatique la plus sophistiquée de l'Histoire

29 min video5 key momentsWatch original
TL;DR

A developer infiltrated XZ for three years, installing a backdoor in software used by 100 million people — discovered only by chance when an engineer noticed a 500-millisecond CPU delay.

Key Insights

1

500-millisecond delay detectionA Microsoft engineer named Andres Frund detected the XZ backdoor by noticing a suspicious 500-millisecond delay in SSH performance during routine benchmarking—a latency most people would never catch.

2

Two-year infiltration strategyJatan infiltrated the XZ project for over two years, gradually gaining maintainer privileges by exploiting the burnout of the original creator Lasse Collin, who maintained the software alone as a volunteer.

3

The backdoor was hidden using a three-layer obfuscation technique: malicious code compiled into a corrupted test file, decoded by macros during compilation, then extracted and decrypted into the final binary.

4

SSH key verification modificationJatan weaponized XZ's integration with SSH by modifying the SSH key verification process to silently accept a specific attacker-controlled key, enabling remote access without alerting victims.

5

Targeted system activationThe backdoor only activated on specific Debian-based systems, suggesting a highly targeted attack rather than a indiscriminate global compromise.

6

Timezone operational security failureTimezone analysis reveals Jatan may have slipped nine times, exposing commits timestamped in UTC+2/+3 (Eastern Europe/Moscow) instead of the spoofed UTC+8, with two instances physically impossible to fake via travel.

Deep Dive

The 500-Millisecond Discovery

On March 29, 2024, Andres Frund, an engineer at Microsoft, was conducting micro-benchmarking tests on SSH—the standard tool for secure remote connections. While tracking CPU resource usage to optimize performance, he detected an anomalous 500-millisecond delay in a normally responsive process. Rather than dismissing it, Frund investigated further and realized the latency wasn't coming from his own code but from an external program on his system. This discovery would have remained unnoticed by nearly anyone else; Frund only caught it because he was actively hunting for millisecond-level inefficiencies. When he traced the issue to his recently updated Debian Linux distribution, he uncovered something astonishing: a backdoor embedded in XZ, a ubiquitous file compression tool used by over 100 million people globally.

Why XZ Matters

XZ is foundational infrastructure in the Linux ecosystem. It's a compression utility that most users never directly interact with, yet it's automatically installed as a dependency of countless other programs. Linux distributions package and distribute XZ to millions of systems worldwide, including servers running banks, government agencies, and corporate infrastructure. The tool's criticality lies in its invisibility; when a package manager installs software, it often silently includes XZ without user awareness. The backdoor's placement in XZ meant it could potentially compromise every system that updated to an infected version. The fact that a volunteer—Lasse Collin, the original creator—maintained this critical software single-handedly for 20 years, often neglecting it due to mental health struggles and burnout, created the vulnerability Jatan would exploit.

The Long Game: Two Years of Infiltration

Jatan's attack wasn't a crude injection but a masterclass in social engineering and patience. In 2021, Jatan began submitting code changes to various open-source projects, initially making subtle, benign contributions to build credibility. By 2022, after submitting over 6,000 legitimate code changes across multiple projects, Jatan had established a genuine reputation as a competent developer. The critical moment came when Gigard Kumar and another developer named Denis publicly pressured Lasse Collin on the XZ mailing list, complaining about slow patch reviews and stalled development. Collin, exhausted and struggling with mental health issues, acknowledged his inability to maintain the project alone and suggested adding a new co-maintainer. Jatan, who had been working privately with Collin, was nominated and accepted as co-maintainer within days. From that point forward, Jatan systematically consolidated control—obtaining merge privileges in January 2023, gaining access to modify the OSS-Fuzz security platform contact email in March, and gradually changing infrastructure, hosting, and alert systems to ensure complete dominion over the project's deployment chain.

The Technical Sophistication

Injecting a simple backdoor is trivial—three lines of code suffice. The challenge lies in hiding malicious code from thousands of auditors reviewing open-source software line by line. Jatan engineered an elegant three-stage system: malicious compiled code was embedded inside a deliberately corrupted test file, disguised as legitimate test data. During compilation, a preprocessor macro identified and repaired specific bytes, extracting a shell script that retrieved and decrypted another code fragment from a separate file before injecting it into the final binary. This layered obfuscation meant the backdoor never appeared in plain text in the source code repositories—only in the packaged distributions sent to Linux vendors. Even more deviously, Jatan designed the backdoor to remain dormant until specific conditions were met. By targeting SSH's key verification process, Jatan created a silent access vector: whenever a specially crafted attacker-controlled SSH key was presented, the verification would pass without logging or alerting the system administrator. The target wasn't random; XZ's deep integration with SSH meant Jatan didn't need to establish outbound connections—SSH itself became the remote access tool.

The Targeting and Tactical Precision

Rather than deploying the backdoor universally, Jatan configured it to activate only on specific systems running Debian or Debian-derived distributions—a precision that revealed calculated restraint and strategic targeting. The backdoor remained dormant on other Linux variants, suggesting the attacker had specific victims or infrastructure in mind. More critically, Jatan timed the release perfectly: the infected versions were distributed to testing channels in late February and early March 2024, with full deployment to Fedora 40 scheduled for April 2024. Had Andres Frund not been running a test version and conducting extraordinary micro-benchmarking, the backdoor would have shipped to millions of production systems globally. Jatan's operational security appeared meticulous—using a VPN spoofed to Singapore, maintaining absolute anonymity across every platform, leaving no personal digital traces beyond what was necessary for code contributions. Yet cracks emerged in this facade through timestamp analysis.

The Forensic Unraveling

Security researchers analyzing Jatan's commit history discovered that the vast majority were timestamped in UTC+8, the timezone spanning Siberia, Indonesia, the Philippines, Western Australia, and China. However, nine commits—a tiny fraction—were timestamped in UTC+2 or UTC+3, corresponding to Eastern Europe, Israel, and Moscow. More damning, two instances on October 6, 2022, and June 27, 2023, involved commits separated by only minutes, with one in UTC+8 and another in UTC+2. No amount of supersonic travel could bridge this gap; the attacker clearly forgot to adjust timezone settings on those occasions. Deeper analysis revealed that UTC+2/3 commits aligned with a standard workday schedule—roughly 9 a.m. to 6 p.m. on weekdays—consistent with an office-based operative. Chinese holidays like Lunar New Year saw Jatan working when a legitimate Chinese resident would be off, further suggesting an Eastern European base of operations. Specialists theorize Jatan deliberately spoofed UTC+8 to misdirect attribution toward China, while the leaked UTC+2/3 commits point toward Russia, Israel, or Eastern European intelligence services, potentially aligning with APT-29, the SVR hacking group suspected in the 2020 SolarWinds supply-chain attack.

Takeaways

  • Audit the commit history and code changes of any open source maintainer gaining elevated access — look for suspicious modifications that weaken security rather than improve it.
  • Monitor unusual system performance spikes during software updates; a 500ms delay in routine operations often signals injection of extraneous code.
  • Assume that well-funded state actors are actively infiltrating critical infrastructure through supply chain attacks — assume ongoing compromise until proven otherwise.

Key moments

2:35The discovery of the delay

he observes a small unusual delay in a normally well-oiled process and during this delay he finds that the processor is using more resources than usual — he measures and realizes there is a delay of 500 milliseconds exactly

11:02Jatan exploits overwhelmed maintainer

after 20 years doing it almost entirely voluntarily l'ascoline is exhausted — he says in a response email that he does this voluntarily for leisure and that right now he has mental health problems

14:34Backdoor is planted

on February 23 and March 9 amid entirely legitimate changes to the code including test files the golden bug is introduced

18:00Technical sophistication of the attack

what is brilliant and especially the attackers would have probably taken years before detecting anything is a complex three-level system with malicious code compiled and hidden in a corrupted file disguised as a test file

28:00The timezone slip

the vast majority of his commits are dated UTC plus 8 but nine of them are dated UTC plus 2 or plus 3 depending on daylight saving time — on October 6 2022 and June 27 2023 there are differences of just minutes between a commit at UTC plus 8 and a commit at UTC plus 2

Get AI-powered video digests

Follow your favorite creators and get concise summaries delivered to your dashboard. Save hours every week.

Start for free