Can We Detect Foreign Influence and Deception in our Open-Source Software? (A Pushwoosh Case Study)

When the US Government detects Russian influence in critical software systems, they don't take it lightly. Such was the case with Pushwoosh, an open-source software package that helps developers create tailor-made application notifications based on a users online activity.

Despite presenting itself as a California-based U.S. company, the Army and CDC discovered Pushwoosh was headquartered in a Siberian town of Novosibirsk and pays taxes in Russia.

Of course, since this software is open-source, it should be expected that developers from all over the world contribute to its codebase. But the problem wasn't that some developers were Russian. The problem stems from the perception that Pushwoosh veiled its true identity, taking measures to deceive the public regarding its origin and operations.

As such, the CDC quickly removed the package from seven major public-facing applications. The Army had already removed an application containing Pushwoosh back in March of 2022.

Now the two questions everyone is asking are:

1. What damage, if any, has already been done?
2. What could we have done to prevent this from happening in the first place?

The Danger of Software Supply Chain Attacks

Open-source software is a force multiplier for most software developers, which is why over 98% of companies that develop software us open-source in their designs.

Despite the time and money open-source saves, it does come with certain risks -- namely that open-source software is developed all over the world by developers with unknown (and sometimes suspicious or questionable) credentials.

Which wouldn't be a problem if we could perfectly detect malicious code. But we can't, and this leads to a nasty class of attacks. Attacks from foreign adversaries. Attacks that can find their way into critical Government systems.

While a typical vulnerability that is discovered in the wild can exploit only one application, malicious code surreptitiously inserted into an open-source package can find its way into many, many applications. Worse, it can find its way into a critical or sensitive system that would have otherwise been difficult, if not impossible, to compromise... Getting your hands on a fighter jet to attack is a tall order. Submitting malicious code into an open-source package that gets designed into the fighter jets' software stack can be done by anyone in the world with a keyboard and internet connection.

Preventing Software Supply Chain Attacks

One thing is for certain: If we continue to only play the vulnerability-detection game, we'll continue to be on the defensive, always playing catch-up, always reacting to problems, always responding to newly discovered vulnerabilities instead of preventing them from happening in the first place. This is why the industry is moving towards a "risk-based approach." In the case of Pushwoosh, there were a few risks we were quickly able to detect that would have prevented the Army, the CDC, or anyone else from deploying this open-source package in their applications to begin with.

Risk 1: Significant Influence by Country

In most of the 35 Pushwoosh open-source repositories, nearly one third of the contributions to the codebase came from Russia, another third from Germany, and the final third from Thailand. While this might not be a problem for many open-source software packages, it is suspicious for a package that is developed by a company that claims to be American (or any other country besides Germany, Russia, or Thailand for that matter).

You can see from the screenshot below, the number of Russian contributions is significant, especially compared with the number of contributions from America, which is non-existent.

Risk 2: Quickly Discredited Credentials

Pushwoosh never mentioned its Russian connection. Furthermore, their own corporate filings, headquarters listings, and executives were quickly discredited with a bit of internet sleuthing.

First, as was already mentioned, Pushwoosh presents itself as a California-based US Company. But if you look at their Twitter location, they present as if they are headquartered in Washington, D.C. Looking at Facebook and LinkedIn shows headquarters in Maryland. What's more suspicious, their Maryland address is residential, and their California address is non-existent.

Second, their company is filed in Delaware but not listed as Russian. Also, they have a big operation out of Thailand, but are not registered there.

Finally, the two executives they listed on LinkedIn were discovered to not be real people.

Any one of these factors might be cause for concern. These three factors together raise a big red flag.

Risk 3: Suspicious Influence by Contributor

By looking at influence between contributors, we can clearly see that developers who are central to the development of Pushwoosh are a) Russian, and b) heavily influenced by other Russian developers.

In a typical, healthy open-source software project, we would see contributions from all over the world. But to see such heavy influence by one country on a single codebase indicates that development is likely happening in that region. This doesn't mean anything malicious is going on or that those developers create lower quality code. But when a company masquerades itself as American yet is heavily influenced by Russian developers, groups like the Army and the CDC should (and did) take note.

It's Long Past Time to Check our Software Ingredients

You can bake a cake that looks good, smells good, and tastes good. But if one of the ingredients is bad, it can make everyone sick. How can you prevent this from happening? Check the dates, smell each ingredient, inspect for mold or other issues, and throw out the offending ingredients.

In the case of software, the open-source packages we use are those very ingredients, and these packages are made up of code, build artifacts, contributors, and all the information associated with each. If we ignore this information, we possibly ignore a bad ingredient and allow malicious code into a software application. But by inspecting each one carefully using a risk-based approach and technology to support it, we can get ahead of the vulnerability curve and detect problems before they cause problems.

This Pushwoosh issue is a perfect example of why such and approach is necessary to our software supply chain, especially when it comes to critical applications developed by our military or Government agencies. We're excited that tools like ours can detect these kinds of issues and give our country a fighting chance to prevent these kinds of software supply chain problems before they compromise a critical system.

References

1. Pearson, J. and Taylor, M. November 14, 2022. Exclusive: Russian software disguised as American finds its way into U.S. Army, CDC apps. https://www.reuters.com/technology/exclusive-russian-software-disguised-american-finds-its-way-into-us-army-cdc-2022-11-14/

Tags

#softwaresupplychainsecurity #softwaresupplychain #pushwoosh #opensourcesoftware #opensourcesecurity #softwaresecurity

About Dark Sky Technology

Dark Sky Technology is securing the world of software that powers our nations’ most critical systems, devices, and applications by identify malicious threats, untrusted code, and cyber attacks in open-source software. Our advanced analytics on open-source packages protects the software supply chain and enables our customers to deploy secure, reliable, trusted software with confidence.

Finally. Trust in Open Source.