Many criminal hacking gangs originate from Russia and nearby points in Eastern Europe, and their ransomware and malware is sometimes found with settings that automatically disable it if regional languages are set on the target computer. An open source project maintainer essentially did the opposite in protest of the war in Ukraine, targeting computers with an IP address in Russia or Belarus with an update. The act of attempted “hacktivism” was supposed to leave a “message of peace” on these computers, but instead started overwriting files with a heart symbol.
The incident has caused an uproar in the free and open source software (FOSS) community, and adds to an ongoing debate about the validity and strategic usefulness of targeting random civilians for the actions of their government.
Open source community stunned as project manager distributes malicious code
Hosted on Github, the “node-ipc” package is a highly popular networking tool that is used all over the world and has at times been downloaded a million times per week. A project manager going by “RIAEvangelist” added two new modules to a recent update: “peacenotwar” and “oneday-test,” which they described as “protestware.”
RIAEvangelist says that these modules were supposed to place an anti-war message on the desktops of users with a Russian or Belarusian IP address, calling it a “non-destructive example of why controlling your node modules is important.” What actually ended up happening for some users in those countries is that files began to be overwritten with a heart symbol.
RIAEvangelist claimed that this was not intentional and that his Twitter account was being targeted by hackers, and then seemed to flee from the internet in the face of a massive tide of outrage. His last update to the node-ipc page indicated that people had been sending him pizzas as a harassment technique and that someone may have sent a SWAT team to his home.
Going by the comments on the Github page, the open source community very much did not support this attempt at hacktivism. The offending version has since been removed.
The misguided hacktivism impacts not only individual users, but quite a few programs that depend on node-ipc. A Github user has put together a list of these, with some of the biggest names being the Vue-CLI packages and the Embark framework.
Malicious acts call hacktivism into question
The Electronic Frontier Foundation (EFF) issued a statement decrying the use of malware in hacktivism in response to this incident, pointing out that this indiscriminate attack might have shut down a hospital or critical infrastructure in one of the target countries.
Ukraine has called for volunteers from around the world since near the beginning of the war, including a “hacktivism brigade” of sorts that it refers to as an “IT Army” and encourages to launch remote cyberattacks against Russia. There have been several attacks of this nature, for example the temporary takeover of a Russian state-owned TV broadcast and disabling of electric vehicle chargers, with the loose hacktivism group Anonymous also getting involved in these efforts.
The issue with these sorts of attacks is that they tend to indiscriminately do damage to civilians, many of whom are not involved politically and may even be against the war. The argument that is usually made for targeting random civilians with economic damage or other forms of material deprivation is that it will in some vague sense “force them to do something” about their government, though it is not usually clear what is expected of them other than an extended campaign of the sort of protesting that tends to be ineffective in these situations.
As the response to the node-ipc attempt at hacktivism would indicate, this does not appear to be a majority view. The incident also raises questions about to what extent open source package security can be trusted, something that was already in the air thanks to the recent vandalism of the widely used “colors” and “faker” NPM libraries. This was another case that appeared to be an attempt at hacktivism, as the developer expressed frustration with corporate for-profit use of open source libraries and intentionally broke his own libraries (which in turn broke all sorts of software that depended on them). At the very least, organizations are now confronted with the fact that open source security is only as good as the people developing and maintaining it.
As Mark Waggoner (Principal Engineer at LogRhythm) observes, this type of insider sabotage is nearly impossible to detect in advance and is very unlikely to be detected until it is already wreaking havoc on the systems that make use of it.
“This action adds a new potential threat actor to our risk assessments for using FOSS or FOSS-derived software. This scenario is very eye opening and frankly frightening. Even organizations who are following best practice guidelines put out by NIST and CISA would have no way of identifying this type of sabotage before it was active in their environment. Since this package was altered by the maintainer and then uploaded to the package manager through entirely valid workflows, it will have all the correct hashes and signatures that security professionals would check. In addition to that, it seems the maintainer also went out of his way to obfuscate their additions to the code base by using base64 encoding to make it even more difficult to identify by either automated means or human reading of the code. Today, with almost all software having at least some reliance on FOSS products, this action seriously increases the risks for any software company, developer, or even end user of these products.”
Sally Vincent, Senior Threat Research Engineer at LogRhythm, suggests securing against future incidents of “protestware” hacktivism by stepping up monitoring efforts and strengthening scrutiny of code sources: “The inclusion of “protestware” in the open-source node-ipc module serves as reminder to all organizations that use of open-source software comes with security risks.”