The cybersecurity landscape is increasingly becoming a focal point for nation-state actors. George Barnes, a former deputy director at the National Security Agency (NSA), emphasizes this, highlighting the potential threats posed by Russian intelligence agencies to open-source software, specifically mentioning the library easyjson. With 36 years of experience at the NSA, Barnes now serves as a senior advisor and investor in Hunted Labs. He warns that these hackers may view easyjson as a vulnerability waiting to be exploited.
Barnes describes easyjson as “totally efficient code,” noting its lack of known vulnerabilities, which have not been flagged by any other company. The ownership of easyjson under VK, a company with close ties to the Kremlin, raises alarm bells. As Barnes explains, if he were operatives within the GRU or FSB, the potential for exploitation would appear obvious, as this resource lies unguarded within the tech landscape.
Despite inquiries, VK Group has not provided a comment regarding easyjson. The Department of Defense has also remained silent about the implications of its use within U.S. software systems. A spokesperson from the NSA has stated that while they do not offer comments on specific software, they encourage the private sector to report potential threats, which the NSA evaluates in order to share relevant mitigations with the community.
GitHub, owned by Microsoft, maintains its commitment to investigate and address policy violations. However, it indicates that it is currently unaware of any malicious code linked to easyjson, noting that VK as a company is not sanctioned. Other tech companies have adopted varying approaches to VK. Following sanctions imposed by the UK against Russian banks with stakes in VK, Apple recently removed VK’s social media app from its App Store.
Dan Lorenc, CEO of Chainguard, a supply chain security company, points out that easyjson’s connections to Russia are conspicuous, signifying a “slightly higher” cybersecurity risk compared to other software libraries. He further mentions that similar red flags in other open-source technologies may not be as apparent, which can lead to unintended vulnerabilities.
Lorenc emphasizes the difficulty in establishing trust in the open-source community, where developer identities and locations are frequently obscured. The importance of code integrity is paramount, as the characteristics of the codebase and its development practices weigh heavily in assessing security, often more so than the developers themselves.
The ongoing scrutiny of open-source technologies has intensified as a result of Russia’s actions in Ukraine. In October, a Linux kernel maintainer removed 11 Russian developers from the project due to sanctions. Moreover, the Linux Foundation issued guidance earlier this year on how adhering to international sanctions can impact open-source work, advising developers to exercise caution in their interactions with colleagues from sanctioned countries.
This evolving situation raises critical questions about the role and security of open-source software within the global ecosystem. As businesses navigate these waters, awareness of potential vulnerabilities linked to geopolitical tensions becomes imperative. Understanding tactics outlined in the MITRE ATT&CK framework—such as initial access and persistence—may be essential for effectively evaluating and mitigating these risks.
