# XZ Backdoor - OSINT ## Jia Tan ([github profile](https://github.com/JiaT75)) This is the account which was caught pushing a backdoor to the `xz` repository. The backdoor is quite intricate and advanced. To create such a well obfuscated backdoor, one would need a considerable amount of technical expertise. ### General info #### GitHub - Username: JiaT75 - GitHub Issues: [link](https://github.com/search?q=author%3AJiaT75&type=issues) - GitHub PR's: [link](https://github.com/search?q=author%3AJiaT75&type=pullrequests) - Name: Jia Tan - Aliases seen: - Jia Cheong Tan (Github full name before it changed to just "Jia Tan") - JiaT75 (Github username) - jiat0218 (email shortname/a few commits?) - Created on: `2021-01-06` - Email used: `jiat0218@gmail.com` - Primary Timezone: `+0800` ([Wikipedia > UTC+08:00](https://en.wikipedia.org/wiki/UTC%2B08:00)) - Other Timezones: - `+0200` - `de5c5e417645ad8906ef914bc059d08c1462fc29` @ 2024-02-12 17:09:10 +0200 - `e446ab7a18abfde18f8d1cf02a914df72b1370e3` @ 2024-02-12 17:09:10 +0200 - `1fc6e7dd1fabdb60124d449b99273330ccab3ff1` @ 2022-11-07 16:24:14 +0200 - `+0300` - `3d1fdddf92321b516d55651888b9c669e254634e` @ 2023-06-27 17:27:09 +0300 - `6a86e81cab202d0a812a7b2e9efacaf70c58ba38` @ 2022-10-06 21:53:09 +0300 - `ba3e4ba2de034ae93a513f9c3a0823b80cdb66dc` @ 2022-09-08 15:07:00 +0300 - `61f8ec804abdb4c5dac01e8ae9b90c7be58a5c24` @ 2022-07-25 18:30:05 +0300 - `4d80b463a1251aa22eabc87d2732fec13b1adda6` @ 2022-07-25 18:20:01 +0300 - `86a30b0255d8064169fabfd213d907016d2f9f2a` @ 2022-06-16 17:32:19 +0300 #### Cryptographic Key(s) ##### PGP https://keyserver.ubuntu.com/pks/lookup?search=22D465F2B4C173803B20C6DE59FCF207FEA7F445&fingerprint=on&hash=on&exact=on&op=index ##### SSH / GitHub These keys were obtained from GitHub [here](https://github.com/JiaT75.keys). RSA (4096 bit) key ``` ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHVp3Bvg/ALC61dsGehbvoqic49D4SfoiiPURSEec3/phZdAfR1hD6QSNTHLY3QDTb0994ZwOFi05YpUM6/qwBUAbroS64/Mp55qDBlark5v83LcTq7a29VUH3Xvu7sAgdYda16a2KnmU5lhETvBfxuS+tpGin9raSp+B+z0PIpr9EmEeQgKtgKRQBiMWMtw7jBxm5INk54SmePNDva3f4ml08/Z4JM76dJ7DBQGrLUqZGsRFOZclMb3YOE7DjPGQQ37TzGvKwLaGvRuocA8oW5zp07+uQldP2LIbt0V99eyXrgD7WLc/sdzWeefoNltcgcV/KEg9ivD02qWFDBzAKMcJuLMhqxXIo64KZuVjWRrflgKCk5wZt0XPZ30MFqbBvjhn8zG7bIQJORmn/j6QSyHewu4Rre7uGxAuzee2PPSaSQ51dKgbdn3B3UuwN8KeIO54W1VYWip+GlG2tXHZAdJOgPPaM72OAqFQBta2MzcHi3/m2HgUNBttYhSUtaeX8myfiRcnC7APhZMOuU9rrHdti2KD6IVArtBiorZbs8iFlzUPmdYVdeFP7EtW6EWgZSLV7rN2r2+CNVJeTrX9zA+mnRjhjq4ffgRUoQikY876kY+1YiEERm7LRBMkKIzM4ZsBk7VQwImSGReyfwEht9tedU5mf5pkrbL8VSMrqQQ== ``` ED25519 key ``` ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFiXcmAAjTBp5kM2AUTJdAEB7DHyYuY8am8FIMROD3FG ``` #### Notable info ##### GitHub Name Changed Full Name was "Jia Cheong Tan" at least up until 2022-10-06 (see [Archive.org > Github/JiaT75](https://web.archive.org/web/20221006184706/https://github.com/JiaT75)) ##### GitHub Picture - GitHub Profile Picture dimensions are 255 by 255 (which is odd). Maybe this can be used to identify the true original source of the image? - The picture can be found in several clipart websites, eg: https://tineye.com/search/244c504ea8dd9e6b45ee8289fb6716de1ab6b98d?sort=score&order=desc&page=1 - https://www.iconarchive.com/show/arabesque-alphabet-icons-by-iconarchive.html ##### Tukaani mailing list Pretty active on the mailing list - Under the name "Jia Tan" since 2021-10-29 - Under the name "jiat0218" once on 2022-04-28 // why? why does it show up once under a slightly different name ##### Other - There is an unused github account called [jiat0218](https://github.com/JiaT0218) also created in 2021 #### (Incomplete) Collection of text by Jia This is just pull requests, but might be useful. Jia seems to speak english perfectly well. No langauge abnormalities etc. visible on first glance. ##### Pull requests - seatest - https://github.com/keithn/seatest/pull/28 - https://github.com/keithn/seatest/pull/29 - libarchive - https://github.com/libarchive/libarchive/pull/1598 - https://github.com/libarchive/libarchive/pull/1609 - https://github.com/libarchive/libarchive/pull/1682 - oss-fuzz - https://github.com/google/oss-fuzz/pull/9960 - https://github.com/google/oss-fuzz/pull/11286 - llvm-project - https://github.com/llvm/llvm-project/issues/63957 - wasmtime - https://github.com/bytecodealliance/wasmtime/pull/6839 ##### Linguistic analysis // TODO: Fill in information from Bellingcat here, please! ## The Mailing list ([mail-archive.com > xz-devel](https://www.mail-archive.com/xz-devel@tukaani.org/)) This is the general purpose mailing list for the xz project. Its notable that Lasse Collin has been active on it since at least 2011 (see https://www.mail-archive.com/xz-devel@tukaani.org/msg00000.html) The mailing list is notable/relevant to this because it not only has more text written by Jia, but also features what are generally thought to be Socketpuppet accounts (accounts created and controlled by whoever is behind this backdoor). ## People of interest **NOTE TO READERS!** _People listed here are likely **not** affiliated at all to the backdoor. They might be involved with attached software to XZ/liblzma in some way, or wrote code that made them interesting to look into. That is all!_ **Contributors** _Anything documented should be written as neutral as possible, please._ ### ivq aka Chien Wong ([GitHub](https://github.com/ivq) | [GitLab](https://gitlab.com/ivq)) - **Origin** Nanjing, China - **Email** `m@xv97.com` - **Website** [link](https://xv97.com/) #### Data - Made an interesting PR to CPython ([link](https://github.com/python/cpython/commit/ea51476320fb141a708f1aab380a620609e9fb30)) - User `wibeipummedo` discovered this GitHub ([link](https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5010026#gistcomment-5010026)) - User `christoofar` wrote on GitHub ([link](https://gist.github.com/thesamesam/223949d5a074ebc3dce9ee78baad9e27?permalink_comment_id=5010095#gistcomment-5010095)): > The PR would have caused CPython to move up the version it is binding to. This particular audience matters. A lot. It's the SoC tinkerboard community. They'll drive the mass adoption as Jia makes more enhancements and creating more targets. This is a significant find. - Contributor to Wireshark ### snappyJack aka Gordon Zhang ([GitHub](https://github.com/snappyJack)) - **Origin** ?, Singapore - **Email** `gordonzhangcn@gmail.com` - **Website** https://snappyjack.github.io #### Data ### ipavlov aka Igor Pavlov ([GitHub//TODO]() | [Wikipedia](https://en.wikipedia.org/wiki/Igor_Pavlov_(programmer))) - **Origin** Novosibirsk, Russian Federation - **Email** TODO #### Data - Author of 7Zip - Uses XZ as one of it's primary compression formats ### ilyakurdyukov aka Ilya Kurdyukov ([GitHub](https://github.com/ilyakurdyukov)) - **Origin** Novosibirsk, Russian Federation - **Email** TODO #### Data - Very proficient coder - IOCCC Winner (The International Obfuscated C Code Contest) ### Socketpuppet accounts It is generally suspected that whoever is behind this used several [Socketpuppet accounts](#Socketpuppet-accounts) to pressure Lasse into merging patches/commits that Jia made. #### Jigar Kumar (`jigarkumar17@protonmail.com`) Only 6 mails between 2022-04-27 and 2022-06-22 (see https://www.mail-archive.com/search?l=xz-devel%40tukaani.org&q=from:"Jigar+Kumar"&o=newest) #### Dennis Ens (`dennis3ns@gmail.com`) Also only 6 mails, but way more spread out between 2022-05-19 and 2024-03-05 (thats only a month ago) ## Unorganised Links (sort of an info dump so we dont loose focus/forget things) - The public xz mailing list (https://www.mail-archive.com/xz-devel@tukaani.org/) - https://www.mail-archive.com/xz-devel@tukaani.org/msg00556.html (28 Apr 2022) - [Gentoo bug report 925415 - app-arch/xz-utils-5.6.0[pgo]: segfaults when running tests](https://bugs.gentoo.org/925415) ## Links ### Repositories - Tukaani.org - [XZ](https://git.tukaani.org/?p=xz.git) - GitHub.com - XZ (removed by GitHub) - ### Blogs [“Everything I know about the xz backdoor”](https://boehs.org/node/everything-i-know-about-the-xz-backdoor) ### Other ## Timeline **NOTE** Keep _all_ timestamps in UTC/Zulu time. If unable to verify timestamp, use `?` instead of `Z`. | Date | Time | Details | Link(s) | People | Note | | :--- | :--- | :--- | :--- | --- | :--- | | 2015-02-21 | 18:12:02Z | Debian Bug Reported | [#778913](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778913) | Christoph Anton Mitterer | Submitter | | 2015-05-12 | 15:07:45Z | [1st patch proposed](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778913#55) | [patch](https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=778913;filename=sshd.diff;msg=55) | Michael Biebl | Debian Maintainer | | 2015-05-12 | 20:54:04Z | [2nd patch proposed](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778913#67) | [patch #2](https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=778913;filename=sshd-v2.diff;msg=67) | Michael Biebl | Debian Maintainer | | 2015-12-21 | 22:35:10Z | [Patch introduced in Debian Unstable](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=778913#97) | [patch](https://sources.debian.org/patches/openssh/1:7.9p1-10%2Bdeb10u2/systemd-readiness.patch/) | Colin Watson | Debian Maintainer | | . | . | . | . | . | . | | . | . | . | . | . | . | | . | . | . | . | . | . | | . | . | . | . | . | . | | . | . | . | . | . | . | | . | . | . | . | . | . | | . | . | . | . | . | . | | . | . | . | . | . | . | | . | . | . | . | . | . | | . | . | . | . | . | . | | . | . | . | . | . | . | | 2024-02-?? | ??:??Z | Backdoor introduced | [commit](https://git.tukaani.org/?p=xz.git;a=commit;h=cf44e4b7f5dfdbf8c78aef377c10f71e274f63c0) | Jia Tan | xz Maintainer | | 2024-03-?? | ??:??Z | RedHat Bugzilla Report | [#2267598](report) | . | . | | 2024-03-?? | ??:??Z | Backdoor updated | . | Jia Tan | xz Maintainer | | 2024-03-29 | 15:51:25Z | backdoor in upstream xz/liblzma leading to ssh server compromise | [Openwall/oss-security](https://www.openwall.com/lists/oss-security/2024/03/29/4) | Andres Freund | Reported by | ## Todo (Just a list of things to complete in this doc, leads to follow/keep following) - Investigate Jigar Kumar on the mailing list - Check have I been pwned for all emails that come up during this investigation - How did Jia communicate with the fedora devs? Can we trace him from there? - check out git log to get exact date of name change - add interesting graphs like commit history vs authors(?) - Add that one graph from twitter that shows how the malicous commits were all from an unusual timezone for Jia