Chinese Government official’s son gloats about multi-year hack targeting Australian intelligence agencies
A Chinese citizen understood to be the son of a senior Chinese Government official has privately claimed to be the architect of a multi-year infiltration operation that infected software used by Australia’s intelligence agencies.
Australia’s cyber intelligence agency, the Australian Signals Directorate, whose own websites are powered by the software, is publicly responding to the attack for the first time.
The Australian Cyber Security Centre, Department of Defence, Inspector-General of Intelligence and Security, Australian Criminal Intelligence Commission and Department of Foreign Affairs and Trade are also among the more than 350 agencies that have the same software embedded.
Sign up to The Nightly's newsletters.
Get the first look at the digital newspaper, curated daily stories and breaking headlines delivered to your inbox.
By continuing you agree to our Terms and Privacy Policy.“It’s such a sophisticated backdoor … It’s hidden. Do not underestimate how impressive this piece of code is,” Harvard University lecturer Bruce Schneier said of the attack, which was detected in March.
Control of these Australian Government websites could have allowed the hacker to intercept reports of critical infrastructure cyber vulnerabilities, redirect national security agency job applicants to fake portals, retrieve passport applications, and plant malware to infect Australians visiting the sites.
“Once somebody takes over a system, their imagination is the limit when it comes to what they do with it,” Vul Labs vulnerability researcher Will Dormann said.
An investigation by The Nightly can reveal that the Chinese citizen, involved in a Chinese Government-sponsored hacker collective, claims to be the lead conspirator of the global XZ Utils attack.
The Nightly has discovered chat messages on a social media channel exchanged between the Chinese citizen and the collective.
“The guy is a second-generation official,” one hacker posted.
“Isn’t your dad a high-level official? He can definitely protect you,” another said.
“Don’t make me famous,” the Chinese citizen posts in the chat.
The Nightly is aware of separate evidence indicating that the Chinese citizen is indeed the son of a senior Chinese Government official and that he receives protection by the state.
There have been no reports of any person or group claiming responsibility for the global cyber attack until now.
“It’s nice to have an attribution. It’s exciting,” Schneier said of The Nightly’s discovery.
The attack was a “multi-year effort by a malicious threat actor to gain the trust of the (software) package’s maintainer and inject a backdoor”, the US Cybersecurity and Infrastructure Security Agency said last month.
XZ Utils is a data compression software preinstalled on devices worldwide.
The attacker, using the pseudonym Jia Tan, led a covert influence operation against its maintainer beginning in October 2021, before becoming a co-maintainer in the second half of 2022.
In February, they infected two incoming software updates, almost compromising the entire federal government along with hundreds of millions of computers.
The attack was discovered by US-based software engineer Andres Freund in late March after he noticed a 0.5-second lag in the software.
“It’s crazy that we got that lucky. I’m still in awe,” Schneier told The Nightly.
“Had the XZ backdoor not been detected when it was, this would have given attackers the ability to completely control any system with the backdoor active,” Dormann said.
The Nightly investigation uncovered the social media channel chat messages between the Chinese citizen and a hacker collective working for the Chinese Government. The messages were from 48 hours after Freund publicly announced he had detected the backdoor.
Detection of the attack “kicked off a mad scramble among security pros and government agencies to prevent the compromised code — known as XZ — from being used to launch spying campaigns or cyberattacks”, Washington D.C.-based POLITICO reported.
“Did you poison this thing?” one participant in the social media channel asked, referring to an early security bulletin about the XZ Utils attack.
“Who else can be as handsome as me?” the Chinese citizen claiming responsibility replied.
“Didn’t I tell you it was open-source stuff? Then I technically put in an SSH backdoor,” he says, describing the method of attack.
The targeted software, XZ Utils, is embedded in GovCMS, the Australian federal government’s content management software.
GovCMS installs the latest version of XZ Utils from a software repository, which had released the infected version on all four distribution channels except one.
That pending one is the distribution channel from which GovCMS installs its software.
Asked how close the XZ attack was to becoming a potentially catastrophic cyber incident, Schneier said: “We were so close. We were one suspicious, bored engineer away. If he didn’t notice it if he was otherwise busy…”
“We’re lucky he was bored that night. And yet that is what saved us.”
This comes after another investigation by The Nightly revealed that Chinese spymasters have marked Australia’s top security research institute as a priority target alongside United States and Taiwanese military research entities.
It is the first time an Australian media outlet has published Chinese national security agency orders.
The messages show the Chinese citizen and the collective members reacting in real-time to the vulnerability being detected.
“I don’t understand. Which idiot discovered this?” the Chinese citizen claiming responsibility asked.
“Looks like it’s being dug out,” a fellow said.
“Bullshit”, he replied. “F---. How did he find out?”
The Nightly can also reveal that the cyber infiltration operation may not yet be neutralised.
“And not just this one”, he said after claiming the XZ attack.
“It’s okay. I have another open-source thing. It’s also been poisoned. Still can play with it. F---ing hell,” he told another hacker collective in further messages also discovered by The Nightly.
“Someone might actually come to your house and biubiu you,” a hacker said, using an onomatopoeia to mean “shoot you”.
“As long as I don’t leave Beijing,” he assured.
“I am invincible.”
Cyber security analysts had speculatively attributed the attack to Russian intelligence agencies and Middle Eastern hacking groups among others.
“I could guess it was a Chinese person with my eyes closed,” he observed.
Another fellow in the collective said: “This is the first time I’ve felt like the criminal suspect in the news is right beside me.”
“I think we are all lucky that it was discovered,” Dormann told The Nightly.
“It was very close to being released in mainline Linux distributions. Rolling releases already had it. Had it not been discovered when it had, it could have easily made it into Ubuntu 24.04 for example.”
Ubuntu is used by 50 million people worldwide every day, one of many popular Linux operating systems.
“If you were abroad, those GNU Foundation people would have knocked on your door by now,” another member said, referring to a US-based software nonprofit.
The Chinese citizen and lead conspirator claims to have had two co-conspirators: one who managed the GitHub user account named Jia Tian and another who crafted the backdoor.
“The person who wrote the backdoor is fine.”
“But the person who uploaded it can’t be contacted any more,” he said.
As global media reporting grew and a hacker said in jest that they would report him to US cyber intelligence National Security Agency, the hacker apparently grew anxious.
“Delete my chat history, for f---’s sake.”
“I didn’t exploit it on a large scale,” he said.
“I’m begging you guys, don’t mess with me, I’m all yours to play with, don’t mess with me, I’m begging you”.
In its first public comments about the XZ attack, the Australian Signals Directorate said: “ASD is aware of reporting of a malicious actor attempting to introduce a vulnerability to the XZ compression library, which is present in nearly every Linux distribution.”
“The XZ compression library is used throughout the world in many different web servers and application platforms. This vulnerability was detected and mitigated before it could be propagated into the production releases of the mainstream Linux distribution.”
“ASD encourages all entities to understand their IT environments to identify what is potentially vulnerable and to identify any impact when new vulnerabilities are discovered,” it said.
“ASD publishes cyber security alerts for common vulnerabilities and exposures that require urgent responses and where there is a direct threat to Australian entities.”
“ASD publishes advice on www.cyber.gov.au that can assist individuals and organisations to prepare and protect themselves against supply chain vulnerabilities,” it continued.
“ASD will continue to monitor the vulnerability and provide advice and assistance as required.”
The Department of Finance, which manages GovCMS, told The Nightly: “GovCMS was not impacted by the vulnerability CVE-2024-3094 that affected the XZ Utils package version 5.6.0 and 5.6.1 as both the Amazon Web Services (AWS) Cloud and GovCMS services do not have these Linux packages installed.”