Security researchers have recently sounded the alarm on easyjson, a widely-used code serialization tool for automated data structures in the Go programming language. This software is extremely popular within the cloud ecosystem and it’s an underpinning of countless open-source projects. It’s now drawing enormous scrutiny due to its ties to Russian developers and ties to well-known individuals closely tied to the Kremlin.
easyjson has been publicly available on GitHub since 2016, with the majority of commits happening before 2020. We know our digital reality is changing quickly. As this expansion has promoted, so have the concerns about cybersecurity risks associated with this powerful tool, particularly amid an increase in international sanctions and geopolitical conflict.
One of the more prominent people connected to easyjson is VK Group’s CEO, Russian oligarch Vladimir Kiriyenko, who took over VK Group in December 2021. VK Group’s VK is Russia’s version of Facebook, which makes these links even more important and impressive. Now that Kiriyenko has been sanctioned since February 2022, we hope to address questions about what that means for software projects he’s worked on.
In January 2023, the Linux Foundation released guidance on how international sanctions might impact open source software and projects like easyjson. In Hunted Labs’ most recent analysis, we found a particularly curious trend. In fact, some of the most prolific contributors to easyjson the last few years live and work in Moscow. This geographical concentration amplifies risks around the software’s potential harms.
Dan Lorenc, CEO of Chainguard added that easyjson’s ties to Russia increase the risk profile. He emphasized, “In the overall open source space, you don’t necessarily even know where people are most of the time.” This lack of developer provenance creates an additional risk for organizations using open source tools such as easyjson.
Additionally, George Barnes, a former deputy director at the National Security Agency (NSA), was already raising alarms about the possibility of threats from Russian hackers. He thinks they might view easyjson as a low hanging fruit ripe for abuse in the future. He commented on the tool’s efficiency, stating, “It is totally efficient code. There’s no known vulnerability about it, hence no other company has identified anything wrong with it.”
So far there are no discovered vulnerabilities in easyjson. The NSA to date has not released any statements about substantive faults in the software. An NSA spokesperson noted that while they cannot comment on easyjson directly, “The NSA Cybersecurity Collaboration Center does welcome tips from the private sector.” They underscored the need to share lessons learned and mitigations implemented with FRANKLIN the community.
The Cybersecurity and Infrastructure Security Agency (CISA) echoed this message. They pointed us in the direction of Hunted Labs for deep-dive analyses into open source projects such as easyjson. CISA recognizes the critical role risk assessment plays when utilizing open source tools, encouraging consumers to take steps to make informed decisions.
Hayden Smith, an expert in cybersecurity, highlighted a critical perspective: “We’re telling you to just make really good risk informed decisions when you’re trying to use open source.” He added, “Open source software is basically good until it’s not,” underlining the inherent unpredictability associated with such tools.
As organizations increasingly rely on open source software for their operations, they face challenges in understanding the backgrounds and intentions of developers. Despite the progress, panellist Scott Hissam noted that an abundance of activities already collect information about open source software projects. This transparency allows consumers to be more informed and make better choices.
The easyjson saga exposes troubling national security risks. These risks originate from the use of open source software, especially when that software is created and maintained by foreign adversaries. Given the complexities involved in these relationships, organizations that adapt such tools into their infrastructure should tread carefully.
Leave a Reply