Russia’s biggest bank has warned its users to stop updating software due to the threat of “protestware”: open-source software projects whose authors have altered their code in opposition to Moscow’s invasion of Ukraine.
Most of the protestware simply displays anti-war, pro-Ukrainian messages when it is run, but at least one project had malicious code added which aimed to wipe computers located in Russia and Belarus, prompting outrage and charges of unintentional collateral damage.
In response to the threat, Sberbank, a Russian state-owned bank and the biggest in the country, advised Russians to temporarily not update any software due to the increased risk and to manually check the source code of software that is necessary—a level of vigilance that is unrealistic for most users.
To support MIT Technology Review’s journalism, please consider becoming a subscriber.
“We urge users to stop updating software now and developers to tighten control over the use of external source code,” Sberbank said in a statement reported by Russia media and cybersecurity firms.
When the Russian invasion of Ukraine began, some suggested that in order to impose costs on Moscow, tech firms should stop sending updates to Russian users. No tech firm has gone that far, but around two dozen open-source software projects have been spotted adding code protesting the war, according to observers tracking the protestware movement. Open-source software is software that anyone can modify and inspect, making it more transparent—and, in this case at least, more open to sabotage.
Collateral damage?
The most severe case of protestware so far took place inside a popular open-source project called node.ipc, which helps build neural networks. It is downloaded more than a million times every week.
The developer behind node-ipc, RIAEvangelist, had written code protesting the war called PeaceNotWar. The code added a “message of peace” to users’ desktops, they explained on GitHub.
“This code serves as a nondestructive example of why controlling your node modules is important,” the author wrote. “It also serves as a nonviolent protest against Russia’s aggression that threatens the world right now … To be clear, this is protestware.”
But node.ipc also had code added to it that located its users and, if they were found within Russia or Belarus, wiped files.
The malicious code on March 15, according to Liran Tal, a researcher at the cybersecurity firm Snyk. The new code was hidden within base64-encoded data that will make it hard to spot.
Soon after the code was downloaded, a GitHub post went viral claiming that the code hit servers operated by an American nongovernment organization in Belarus and that the sabotage “resulted in executing your code and wiping over 30,000 messages and files detailing war crimes committed in Ukraine by Russian army and government officials.”
The code remained part of the package for less than a day, according to Snyk. The message allegedly from the American NGO has not been verified and no organization has made a public statement about any damages.
“While this is an attack with protest-driven motivations, it highlights a larger issue facing the software supply chain: the transitive dependencies in your code can have a huge impact on your security,” Tal wrote.
This is not the first time open-source developers have sabotaged their own projects. In January, the author of another popular project called colors added an infinite loop to their code that rendered any server that was running it useless until the issue was fixed.
A new movement
Protestware is just the latest of multiple attempts by activists to use tech to pierce Russian censorship and deliver anti-war messages. Activists have been using targeted advertisements to push news about the war in Ukraine to ordinary Russians who are otherwise at the mercy of accelerating censorship and ubiquitous state propaganda. Crowdsourced reviews and anti-war pop up messages are tactics that have been employed since Russian troops began their invasion.
For the most part, protestware is more proof that much of what we can publicly see from the cyberwar unfolding around Ukraine is directly related first and foremost to the information and propaganda war.
Protestware can deliver similar anti-war messages, but within the open-source community there are worries that the possibility of sabotage — especially if it goes further than simple anti-invasion messaging and starts destroying data — can undermine the open-source ecosystem. Although it is less well known than commercial software, open-source software is enormously important to running every facet of the internet.
“The Pandora’s box is now opened, and from this point on, people who use open source will experience xenophobia more than ever before, EVERYONE included,” GitHub user NM17 wrote. “The trust factor of open source, which was based on goodwill of the developers is now practically gone, and now, more and more people are realizing that one day, their library/application can possibly be exploited to do/say whatever some random dev on the internet thought was ‘the right thing to do.’ Not a single good came out of this ‘protest.’”