Who is Jia Tan? The hacker who waited 3 years to plant malware that has shaken the cybersecurity world

If you have been keeping up with cybersecurity news this past week, then you’ve most likely heard the name Jia Tan. It’s the name of a developer on GitHub who planted the most sophisticated backdoor in XZ Utils, an open-source library that is used for compression on major Linux distributions.

Unlike other malicious code that work by reaching out to the owner’s Command-and-Control (C2) server, Jia Tan’s code allowed him to connect to the target machine via SSH and authenticate with a private key.

The only reason that Jia Tan’s exploits were flagged is that one Microsoft engineer was unhappy because their SSH logins were taking a few milliseconds longer. After investigating it further, he noted that they were consuming an abnormal amount of CPU power.

This prompted the engineer to dig in further which led to the discovery of the backdoor that is now rocking the cybersecurity world.

Apart from his messages interacting with other developers on Github, Jia Tan left no other trace that could help unmask his identity.

However, what is most interesting is that Jia Tan created his Github account in 2021 and has since been building up for the attack.

First, Jia Tan submitted his first patch to XZ Utils in 2022. Shortly after, the original XZ Utils maintainer started getting pressure, mainly from two accounts, to add another maintainer as he was not regularly updating the library.

Between 2021, and April 2024 when the exploit was discovered, Jia Tan made thousands of legit code updates and even spoke with other developers seeking feedback on his work.

Could it be a case of good dev gone rogue? Three years is a long time to wait. But, the fact that Jia Tan’s account has no external links to any other profile is clear evidence that it was a well-thought-out plan leading up to exactly this moment.

However many in the cybersecurity world are convinced Jia Tan is not a lone actor but rather a handle operated by state-sponsored hackers.

“This multiyear operation was very cunning, and the implanted backdoor is incredibly deceptive,” noted Costin Raiu, who until last year served as the most senior researcher and head of the global research and analysis team at Kaspersky. “I’d say this is a nation-state-backed group, one with long-term goals in mind that affords to invest into multiyear infiltration of open source projects.”

Costin said it’s too early to determine the specific state, but pointed fingers at the three usual suspects. China, Russia, and North Korea.