Inserting malicious code into open source software has emerged as one kind of “protestware” against the Russian invasion of Ukraine. And a debate on the efficacy of encryption in the popular Telegram app is also front and center in the war.
Open source as a weapon and weak link
As part of the protest against the ongoing war, an open source developer added malicious code to a popular open-source package, wiping files on computers located in Russia and Belarus.
The packages originally added a "message of peace" on the desktop of any user installing the packages, according to the report. But later select npm versions of the node-ipc library launched a destructive payload to delete all data of users installing the package. The malware targeted users based in Russia and Belarus.
“Interestingly, the malicious code…would read the system's external IP address and only delete data by overwriting files for users based in Russia and Belarus.”
--BIG sabotage: Famous npm package deletes files to protest Ukraine war, Bleeping Computer, March 17, 2022
As a dependency, node-ipc is automatically downloaded and incorporated into other libraries, including ones that have over one million weekly downloads, according to Ars Technica.
While this kind of hacktivism can be an effective weapon in the ongoing Ukraine-Russia cyberwar, it also exposes a weak link in open source: one person can have a devastating impact on downstream applications.
“The protestware event exposes some of the risks posed when armies of volunteer developers produce the code that’s crucial for hundreds or thousands of other applications to run,” Ars Technica said.
Ukrainians get serious about encryption
Another cyber front in the war is encryption, as citizens seek out communications that can’t be seen by prying eyes.
Evidence of this trend is seen in Signal's growing popularity: the app has surpassed Telegram for the first time in Ukraine, according to Cloudflare, whose CEO tweeted about it February.
While both apps boast encryption, the way it’s implemented is not the same. In short, Signal is end-to-end encryption, while Telegram is not.
With Telegram, data is encrypted but the service owner has the encryption key and can read messages. With Signal, private encryption keys are held with the device owner. The service owner cannot read messages, as pointed out by InfoQ.
Signal founder Moxie Marlinspike went so far to tweet a warning to Ukrainians that Telegram does not implement end-to-end encryption.
"Telegram is the most popular messenger in urban Ukraine...most ppl there believe it’s an 'encrypted app.' The reality is the opposite-TG is by default a cloud database w/ a plaintext copy of every msg everyone has ever sent/recvd," Marlinspike said in February.
Both open source development and encryption implementation strategies play a significant role in the modern enterprise. Seeing these tactics used and misused in the Ukrainian resistance should remind us of how important it is to protect valuable encryption and open source assets in any large organization.