#USA #Salt Lake City #Open Source #Strider Technologies #Cyber Threats

Unveiling Hidden Threats in Open-Source Software

A recent report published by Strider Technologies sheds light on a pressing issue within the realm of open-source software (OSS). The analysis reveals that individuals with connections to hostile nation-states, notably from Russia and the People’s Republic of China, are actively contributing to critical software supply chains. This infiltration raises serious cybersecurity concerns, emphasizing the need for heightened scrutiny over the contributions made to popular OSS platforms such as GitHub.

The Nature of Modern Geopolitical Risks

Strider's report, titled “Lying in Wait: Understanding the Contributors Behind Open Source Code”, provides a compelling narrative about how OSS platforms are increasingly being exploited by Advanced Persistent Threats (APTs). These threats manifest through subtle contributions, including the insertion of backdoors and the manipulation of trusted software components. The implications are alarming: malicious actors have the potential to hide threats within widely used software channels that cater to corporations, developers, and government entities alike.

According to Greg Levesque, Strider's CEO and co-founder, open-source software forms the backbone of today’s digital infrastructure. He asserts that the identities of those submitting code are often obscured, rendering organizations vulnerable to exploitation. “Nation-states like China and Russia are taking advantage of this visibility gap,” Levesque explains, emphasizing the potential for these individuals to introduce malicious code that can cause devastating effects.

APTs Targeting Open-Source Platforms

The report outlines specific groups, such as APT41 from the People’s Republic of China, Lazarus Group from North Korea, and Cozy Bear from Russia, that have found a haven in OSS platforms to further their strategic objectives. These groups have become known for their active contributions, undermining the transparency that OSS platforms aim to uphold. Their ultimate goals include infiltrating software supply chains, stealing sensitive data, and supporting long-term cyber espionage campaigns.

High-profile incidents, such as the compromise of the Python Package Index (PyPI), the Log4Shell vulnerability, and the backdoor incident involving XZ Utils, serve as reminders of the ongoing threat these state-sponsored actors pose.

Strider’s Innovative Filtering Technology

Leveraging its new OSS contributor filtering feature, Strider conducted an analysis of contributors across popular open-source repositories. This investigation notably identified accounts linked directly to state-affiliated actors from China, Russia, and Iran. For instance:

• - Over 21% of contributors to openvino-genai were found to possess affiliations signaling security threats. This includes two active contributors connected to various high-risk states.
• - The openvino-genai repository is crucial for contemporary AI inference workflows and contains code enabling the operation of generative AI models on consumer devices.
• - The OpenVINO toolkit boasts over one million downloads and is featured in 62 subsequent projects.

Highlighting a concerning connection, one contributor, known as “as-suvorov,” previously worked as a full-stack developer at MFI Soft, a U.S.-authorized software company that has undertaken considerable work for the Federal Protective Service (FSO), a cryptologic intelligence agency responsible for gathering and analyzing foreign communications and signal intelligence. Another contributor, “sbalandi,” was with Positive Technologies, a Russian IT firm sanctioned by the U.S. in 2021 for facilitating malicious cyber operations.

The Ultimate Call to Action

As organizations navigate an increasingly perilous digital landscape, Strider's findings serve as a clarion call. By highlighting the often-overlooked individuals behind code contributions, this report underscores the urgency for entities to assess the reliability of their systems critically. Awareness and proactive measures in scrutinizing contributors will be pivotal in safeguarding digital infrastructure from the lurking threats posed by state-sponsored cyber adversaries.

The full report and more information about Strider's open-source filtering tool can be accessed through their official channels. As technological innovation advances, transparency in contributor identity is not just a concern but a necessity to maintain cybersecurity integrity.

• ---

For details on Strider's initiatives and other insights into open-source security, visit their website at Strider Technologies.