Russia, China secretly insert malicious code in open-source software, says new report

As businesses and government services continue to adopt open-source software, a new report indicates that foreign actors are secretly infiltrating software infrastructure to advance malicious goals. 

According to the report from strategic intelligence company Strider, the widespread adoption of OSS has outpaced the development of relevant cybersecurity measures, allowing well-trained “advanced persistent threat groups” to insert malicious code into widely used software.

OSS is source code that is publicly available and licensed for use by any party. The code is often available for free and is open to modification by anyone. The report argues that this philosophy has allowed state-affiliated actors from Russia, China and North Korea to distribute malicious code.

“The realities of our geopolitical situation require new approaches to protect that open environment,” the Strider report reads. “State-sponsored cyber threat groups, like APT41 (PRC), Lazarus Group (North Korea), and Cozy Bear (Russia), have exploited open source platforms such as GitHub to further their governments’ strategic objectives.”

Some studies indicate that more than 90% of modern applications contain open-source code, and a large portion of commercial code bases incorporate some OSS.

Due to the widespread use of OSS in enterprise applications, a single line of malicious code inserted by staff-affiliated actors can have a cascading effect across various industries, the report noted. Such infiltrations can lead to “operational disruptions, data breaches, unauthorized access to sensitive information, and reputational damage.”

According to Strider, adding malicious code to popular OSS is not a quick and easy scam for advanced persistent threat groups. Sometimes, actors will spend years building respectable reputations before adding their own harmful code. 

“In some of these incidents that we’ve seen, people are taking years to gain trust and contributing sometimes 40, 50 times to a code before they start injecting a malicious backdoor that you don’t catch because it’s not being moderated or they’ve reached a status of a maintainer so that they can approve their own code,” Strider Director of Global Communications Paige Waltz said. “So there’s inherent risk when someone is playing the long game.”

As an example, Strider’s report cites the Log4Shell vulnerability exploitation incident from 2021, where hackers leveraged the vulnerability of OSS to execute arbitrary code. The incident led to massive data breaches and compromised systems across various sectors.

Cybersecurity firms and government intelligence agencies found that actors associated with China, North Korea, Iran and Turkey were involved in the breach. 

Strider reported that the Log4Shell breach cost affected organizations upwards of $90,000 in incident response per incident, with the total cost for the industry reaching in the billions. In 2023, nearly two years after the incident, 72% of affected organizations were still reporting active exploitation events. 

The Strider report suggests that businesses and government entities use a “contributor-focused approach” when structuring security measures. By focusing on who is contributing to the code used, organizations are able to make informed decisions about the software they adopt.