After ‘Protestware’ Attacks, Russian Bank Warns On Updating Software

As Russian forces continue to invade and attack the Ukrainian community, the consequences of these actions continue to take a devastating toll on the technology sector including open-source software development. Recently, Sberbank – Russians largest bank made an announcement to its customers to temporarily halt the installation of software updates to any application after a “protestware” attack targeted Russian and Belarusian users. This call was made out of concern that these software updates may contain some form of malicious code that is specifically targeted at unsuspecting Russian users.

According to a Russian news source, Sberbank mentioned that “Currently, cases of provocative media content being introduced into freely distributed software have become more frequent. In addition, various content and malicious code can be embedded in freely distributed libraries used for software development. The use of such software can lead to malware infection of personal and corporate computers, as well as IT infrastructure.” Sberbank didn’t say it had fallen victim to an attack, but the bank decided to warn its clients about the threat of malicious code being “embedded in freely distributed libraries used for software development.” The Russian bank has advised that when there is an urgent need to use the software, users should ensure they scan such files with an antivirus or manually review the source code. Few Russians have considered this suggestion by Sberbank as likely impractical, if not impossible, for most users who aren’t tech-savvy.

According to The Verge News, the reasons for this announcement has been referenced to an incident that happened in March, where the developer of a widely used JavaScript library added an update that overwrote files on machines located in Russia or Belarus. Supposedly implemented as a protest against the war, the update raised alarm from many in the open-source community, with fears that it would undermine confidence in the security of open-source software overall. The update was made in a JavaScript module called node-ipc, which, according to the NPM package manager, is downloaded around 1 million times per week and used as a dependency by the popular front-end development framework Vue.js.

According to other reports from another news source The Register, updates to node-ipc made on March 7th and March 8th added code that checked whether the IP address of a host machine was geolocated in Russia or Belarus, and if so, overwrote as many files as possible with a heart symbol. A later version of the module dispensed with the overwriting function and instead dropped a text file on users’ desktops containing a message that “war is not the answer, no matter how bad it is,” with a link to a song by Matisyahu.

Although reports say that the most destructive features of the “protestware” module no longer appear in the code, however, the consequences have proven harder to undo. Since open-source libraries are essential for software development, a wide-ranging loss of trust in their integrity could have knock-on big effects for users in Russia and elsewhere.

In a tweet, cybersecurity analyst Selena Larson has referred to it as “forced insecurity”; in general, the open-source community has openly criticized protestware and the updates to node-ipc in particular, saying it undermines trust in the open-source system. Because of how integral open-source code is to every computer system, the fallout from a protestware attack can also be unpredictable and cause massive collateral damage.

More broadly, the ongoing Russian-Ukraine unrest has posed difficult ethical problems to the Russian technology sector. While global tech leaders like Amazon, Apple, Sony and the rest of them have halted sales and businesses in the Russian market, others are keen on remaining in business with Russia. In a blog post recently, Cloudflare CEO Matthew Prince confirms his company would continue to provide service in Russia despite pressure to call it to quit, in the blog post he wrote “Russia needs more Internet access, not less.”