Red Cell portfolio company Hunted Labs™ has revealed some hard truths about our global open source software ecosystem after identifying a dependency that constitutes a foreign control and influence risk which threatens U.S. national security.
In a newly released threat report, the software supply chain security firm details findings from its investigation into a suspicious piece of open source code known as “easyjson,” a Go package designed to optimize JSON (JavaScript Object Notation), a format that provides an efficient way for different systems to exchange data. A critical direct and indirect dependency for thousands of open source and enterprise projects, easyjson is used globally, Hunted Labs reports. Here in the United States, it is broadly integrated into software underpinning myriad systems within the U.S. Department of Defense and commercial industries spanning virtually every critical sector, including finance, technology, and healthcare.
According to the Hunted Labs report, easyjson appears to be completely owned, maintained, and controlled by developers in Moscow working for one of Russia’s largest internet services conglomerates, VK Group (VK). Easyjson’s association with VK was discovered by Hunted Labs during a security analysis to determine which open source components currently leveraged in enterprise software on behalf of the U.S. government are under foreign ownership, control, or influence. The Hunted Labs team detected easyjson using its product Entercept™, which automatically flagged the package as seemingly owned and controlled by Moscow-based software developers.
What does Hunted Labs’s discovery mean in the broader context of security considerations, which increasingly affect every corner of our society? A great deal, especially given easyjson’s massive presence in popular and vital software. While there are no established vulnerabilities in the easyjson code base at this time, its full control by members of VK constitutes a risk in and of itself. The Hunted Labs blog about this issue outlines how the VK team could leverage their control to initiate a broad array of malicious actions that may or may not be noticed and offers suggestions to mitigate risk.
Software supply chain attacks in recent years, such as SolarWinds, Log4Shell and XZ Utils backdoor, serve as a sobering reminder of the power competition that’s underway as Russia and China push for primacy and exert leverage against the United States. And, while easyjson is not being characterized as an active access vector, its quiet control by entities positioned against our interests highlights the human dimension of vulnerability and risk. As we utilize the open source software ecosystem, evaluating code against cybersecurity standards, alone, is no longer sufficient: We must include the coders as key components of the risk equation.
In the spirit of the democratic principles that help define the United States, we have purposely, and rightfully, fostered a global open source software framework, where developers from anywhere around the world can freely collaborate to use, modify, copy, and distribute software at will (and at speed). This transparency and collaboration have benefited all corners of our global society. Conceptually, it has enabled equal access to the ever-advancing efficiencies and serves as the main building block for software today. The challenge, however, is the lack of visibility into who is contributing to this widely relied-upon ecosystem, which provides countless places for malicious actors to position and lie in wait for the opportunity to inflict harm at a time and circumstance of their choosing. In fact, during its investigation, Hunted Labs found that Russian contributors maintained easyjson, accounting for more than 85% of all commits, which serve as records of changes to code repositories.
Hunted Labs brings to bear a potent mix of data and tools designed to empower software developers and defense teams with a greater level of visibility to characterize risk, identify blind spots, reduce noise, and stop threats in their tracks. Yet, they don’t stop at code; they extend their investigative lens toward the increasingly critical dimension – the coders. After all, it is people (and, now more often, autonomous agents) with agendas who leverage their influence on code as the medium by which to accomplish their intended effects. Hunted Labs not only reveals where the suspicious threats are, they go several steps further by identifying the people behind the code, who they work for, what’s motivating them, and the tradecraft they may use to obfuscate these facts. And, while we have rightfully limited access into the U.S. by Kaspersky and Huawei, we are still accepting software into our government and critical infrastructure from the same origins.
In many ways, it’s astounding to consider of the level of scrutiny that software engineers and developers must undergo before they can secure jobs in both the public and private sectors, yet the open source code that underpins this ecosystem – and the remote access it may afford to its developers – is largely allowed into our environments. Unfortunately, the easyjson findings by Hunted Labs are only the tip of the iceberg. The company has discovered other open source libraries with similar issues, which it will continue to unearth and bring to light. Yet, despite these dangers, Hunted Labs (and I) don’t advocate for an exodus from open source software. Rather, we want to emphasize the importance of awareness and proactivity. As the company underscores in its report: “By understanding the risks and taking proactive steps to mitigate them, we can continue to leverage the benefits of open source software while safeguarding our systems and our data.”
The stakes have never been higher and they’re increasing with each passing day. This stark reality motivated me to join Red Cell and start its Cyber Practice upon retiring from the National Security Agency. After a career of exposing foreign threats and helping our government defend against them, I wanted to jump into the private sector to build and scale companies like Hunted Labs and bring differentiated security solutions with broad applicability to the needs of the private and public sectors. We’re well on our way.
Share
Build With Us
Our formula for success begins with those who dare to look beyond what’s possible.
Get Started