For roughly two years, a contributor operating under the identity "Jia Tan" submitted patches to the XZ Utils open-source project — the compression library present in most Linux distributions. The patches were clean, useful, and unremarkable. Jia Tan built a reputation as a careful maintainer. He was eventually granted commit access. In February 2024, he inserted approximately 500 lines of obfuscated code into XZ Utils versions 5.6.0 and 5.6.1. The code was a backdoor — specifically, a modification to the way the library interacted with systemd-linked SSH daemons that would, on affected systems, allow remote code execution via SSH for anyone holding a specific private key.
The CVSS score was 10.0 — the maximum. Had the versions shipped in stable Linux releases before detection, the backdoor would have been present on hundreds of millions of systems worldwide. It was discovered on 29 March 2024 by Andres Freund, a Microsoft engineer, who noticed that SSH logins on a system running the affected versions were consuming 500 milliseconds more CPU time than expected. He investigated. The investigation revealed the backdoor.
The key fact is not the sophistication of the code — though it was considerable, concealed using test-file obfuscation that separated the malicious binary injection from the visible source. The key fact is the timeline. Two years of legitimate contribution. Two years of building the institutional trust that would eventually be converted, in a single commit, into the most widely distributed targeted backdoor in the history of Linux. Analysts with knowledge of the methodology have pointed toward a sophisticated nation-state actor; some have noted similarities to APT29 tradecraft, though no formal attribution has been published.
Supply chain compromise is not a new category of threat. What the XZ Utils case documents is how far the patience and investment required to execute it have evolved.
MOVEit: The Industrial Scale
Where the XZ Utils backdoor demonstrated patience and precision, the Cl0p group's exploitation of a zero-day vulnerability in Progress Software's MOVEit Transfer demonstrated scale. MOVEit Transfer is a managed file transfer application used across healthcare, financial services, government, and legal sectors to move sensitive data between organisations. On the Memorial Day 2023 weekend, Cl0p mass-exploited CVE-2023-34362 — a SQL injection flaw — across every internet-exposed MOVEit instance simultaneously. The timing was deliberate: a long weekend reduces the speed of response.
The final tally from the MOVEit campaign extended well into 2024 as victim organisations completed breach notifications: over 2,700 organisations compromised, data on more than 95 million individuals exposed. Estimated total breach-related costs across victim organisations exceeded $15 billion. By victim count, it is the largest single supply-chain exploitation event in documented history.
Cl0p operated without deploying ransomware encryption — a departure from its earlier model. The campaign was pure data-theft-and-extortion: exfiltrate regulated data, threaten disclosure, demand payment. This approach has several operational advantages over traditional ransomware. It requires no persistent access; the exploit, exfiltration, and exit can all occur in a compressed window. It does not disrupt operations in ways that would trigger immediate incident response. And it generates leverage against every organisation in the victim's disclosure obligation chain — healthcare providers, insurers, pension funds, and their regulators — regardless of which organisation held the data.
The organisation that owns the data is not always the organisation that controls the vulnerability. That gap is the supply chain attack surface.
Snowflake: The Credential Layer
The Snowflake breach campaign of April–June 2024 illustrates a variant of supply chain compromise that operates through credential theft rather than software vulnerability. The threat actor UNC5537, tracked by Mandiant, used credentials harvested by infostealer malware — some dating as far back as 2020 — to log directly into Snowflake customer environments. Snowflake's own infrastructure was not compromised. Approximately 165 customer environments were accessed. Approximately 80% of those accesses used credentials stolen by infostealers; none of the affected accounts had multi-factor authentication enforced.
The resulting victim list established the downstream scope of a single cloud data platform's customer base as an attack surface: Ticketmaster, with data on approximately 560 million customers offered for sale; Santander, with 30 million customers, 6 million account numbers, and 28 million credit card numbers; AT&T, Advance Auto Parts, and LendingTree, among others. The Snowflake platform was not vulnerable. The organisations that stored sensitive data on it, without MFA, were. The distinction matters for threat modelling but not for the individuals whose data was exposed.
The Snowflake case is particularly instructive because the credentials used were old. Some had been stolen years before they were used. The infostealer operators who collected them and the IAB market that distributed them had maintained their inventory while the victim organisations had not rotated the affected credentials, had not enforced MFA, and had not detected the prior compromise. The attack was not fast. It was patient — in the way that all good supply chain attacks are patient.
CDK Global and the Single Point
On 19 June 2024, BlackSuit ransomware encrypted CDK Global's production environment. CDK Global is the largest dealer management system provider in North America, serving approximately 15,000 automotive dealerships. Every CDK customer went offline simultaneously. Some dealerships ran on paper for two to three weeks. Vehicle sales, financing, and service operations were disrupted across the US automotive retail sector. CDK reportedly paid approximately $25 million in ransom to BlackSuit — a figure confirmed by blockchain analysis — to accelerate recovery.
The CDK incident is a supply chain attack in the sense that matters operationally: not a software vulnerability, but a structural dependency. When a single SaaS vendor serves 15,000 customers in a sector with limited tolerance for operational downtime, that vendor is a target whose compromise is equivalent to compromising the sector. The dealerships had outsourced their operational infrastructure to a single point of failure. The ransom was paid not to recover their own systems, but to recover their access to a third party's. BlackSuit is widely assessed to be a rebrand of the Royal ransomware group, which itself absorbed former Conti affiliates after that group dissolved.
Field note — Supply chain security assessments should identify three distinct threat vectors: software component risk (open-source libraries, commercial tools, firmware), credential and access chain risk (third parties with privileged access to your environments), and operational dependency risk (SaaS providers whose unavailability would halt your operations). For each category, the relevant control is different. For software components: software bill of materials maintenance and continuous vulnerability monitoring. For credential chains: enforced MFA universally, quarterly rotation of service account credentials, and audit of all third-party access grants. For operational dependencies: documented recovery procedures that do not assume vendor availability, and contractual obligations for incident notification timelines. The organisations that absorbed the Snowflake damage disproportionately were those that had neither enforced MFA on cloud platforms nor conducted inventory of what data resided in which environment.
The four incidents described here — XZ Utils, MOVEit, Snowflake, CDK Global — span different mechanisms, different sectors, and different threat actor categories. What they share is the structure of the compromise: in each case, the organisation that suffered the impact was not the organisation that held the vulnerability. The attack entered through a trusted relationship, a vetted tool, an authorised platform, or a critical dependency. The perimeter model of security — in which organisations defend their own systems from external intrusion — has no architecture for this. The organisations best positioned to manage supply chain risk are those that have stopped treating the perimeter as the relevant boundary and started treating every trust relationship as an attack surface to be understood, monitored, and constrained.
Sources & further reading
- CISA/Bitdefender — XZ Utils Backdoor Advisory: https://www.bitdefender.com/en-us/blog/businessinsights/technical-advisory-xz-upstream-supply-chain-attack
- Picus Security — CVE-2024-3094 Analysis: https://www.picussecurity.com/resource/blog/cve-2024-3094-a-backdoor-in-xz-utils-leads-to-remote-code-execution
- Wired — The Mystery of Jia Tan: https://www.wired.com/story/jia-tan-xz-backdoor/
- BankInfoSecurity — MOVEit Victim Count 2,618+ orgs: https://www.bankinfosecurity.com/known-moveit-attack-victim-count-reaches-2618-organizations-a-23640
- Resecurity — Cl0p MOVEit Supply Chain Exploit: https://www.resecurity.com/blog/article/cl0p-ups-the-ante-with-massive-moveit-transfer-supply-chain-exploit
- TechCrunch/Mandiant — Snowflake Campaign: https://techcrunch.com/2024/06/10/mandiant-hackers-snowflake-stole-significant-volume-data-customers/
- Wired — Snowflake / Ticketmaster / Santander: https://www.wired.com/story/epam-snowflake-ticketmaster-breach-shinyhunters/
- CyberScoop — CDK Global $25M Ransom: https://cyberscoop.com/cdk-ransom-blacksuit-25-million/
- CRN — CDK Paid $25M: https://www.crn.com/news/security/2024/cdk-paid-25-million-ransom-to-expedite-recovery-after-attacks-report