top of page

What the Linux XZ Backdoor Hack tells us about cybercrime

In early April, a Microsoft developer named Andres Freund uncovered what could have been the biggest cybercrime hack in history. While working on open-source database software, he noticed a tiny performance lag in the code. Digging deeper, Freund uncovered backdoor code inserted into a popular third-party compression tool routinely included in major Linux distributions.


A backdoor to the Internet


The implications are severe. Linux software powers many Internet servers, including at large companies and technology providers.


A backdoor would allow criminal parties to slip into those servers, where they can install dangerous software, steal data, snoop on traffic, and enjoy tremendous command and control. While the backdoor code doesn't do any of those things, it provides the way inside, bypassing security, encryption, and account verification layers.


Had the backdoor code entered the Linux mainstream, it would have given someone unprecedented access to many of the servers that create the Internet.


A serious cybercrime operation


Who are the culprits? That remains unknown, but this was not a small or haphazard operation. To understand why, let's look at how open-source software works.


Open-source software is code that anyone can scrutinise. If you are a developer, you can download open-source code and change it as you see fit. While this sounds like a great opportunity for meddling, the open-source world counters harmful activity through layers of trust and accountability. A tight community of developers and testers continually look for irresponsible and malicious changes.


So, how did a piece of backdoor code slip into a popular open-source package?


Here, it gets interesting. When online sleuths started to track the changes, they quickly identified the user account responsible. They then uncovered a long trail of activity in which the account had established trust and credibility by working on multiple open-source projects and even became a prime maintainer of the targeted compression software. Some of these activities started back in 2020—a long-term social engineering con job.


The culprits spent years ingratiating themselves with developer communities, biding their time until they could slip a tiny bit of backdoor code into a widely distributed piece of software without raising suspicions. If it hadn't been for one lone developer who wondered why his software was milliseconds slower, the backdoor might have remained hidden and entered wide distribution.


Cybercrime is a serious business


Cybersecurity experts do not embrace the myth of cybercriminals as hoody-wearing social rejects sitting in basements. Such people exist but are a minority and far from apex cyber predators. Criminal gangs, crime syndicates, and dangerous nation-states organise most cybercrime attacks.


One person could not have done something as audacious as breach the inner circle of high-level open-source developers. This operation took time, resources, and considerable social and technical skills. If it succeeded, the XZ Backdoor (named after the targeted compression software) would have been the biggest cybercrime breach. 


How does this relate to ordinary folk? Will a major cybercrime operation attempt to breach our devices? That's very unlikely unless you are someone incredibly important. But the XZ Backdoor is just one end of a long spectrum representing motivated attackers and the many dangerous tools they have at their disposal.

If you ever reasoned that you are not a cybercrime target because "Why would they attack me?", think of the tenacious criminals that tried to breach the Linux open source community, once thought of as nearly impregnable. That was a targeted attack.


Most cybercrime attacks are not. They are opportunistic, like a dog sniffing along kitchen counters, hoping for some unattended food. They don't have to attack you specifically. They just have to attack someone, and if your systems are not sufficiently protected, you're as good a target as anyone else.


We're lucky that one person could spot and help stop the hack of the century. But don't rely on luck for your security. Take it seriously. If cybercriminals can breach one of the most suspicious communities on the planet, they won't pause at breaking into poorly-protected systems at any company.


bottom of page