Russia’s largest bank tells its clients to delay downloading software updates after ‘protestware’ attacks target Russian users

March 22, 2022, 11:07 AM UTC

Sberbank, Russia’s largest bank, is advising its customers to delay software updates after a “protestware” attack targeted Russian and Belarusian users, and threatened to delete their files.

So-called protestware is when an activist programmer—or “hacktivist”—inserts malicious content into a library of open-source code in order to make a political statement. The effects of a protestware attack can spread very quickly across numerous computer systems, because many programers rely on open-source libraries to create software. Following Russia’s invasion of Ukraine, some hacktivists have used the tool to campaign against Russia.

Between March 7 and 8, a programmer using the handle RIAEvangelist wrote an update to node-ipc—a common piece of open-source code that other programmers frequently use when writing systems software. The malicious update executed code that scans users’ IP address when they download node-ipc. If the IP address comes from Russia or Belarus, the code would delete all of the user’s system files and replace them with a heart emoji.

RIAEvangelist quickly removed the malicious code after software engineering forum GitHub flagged the virus as a critical vulnerability, yet followed up with a new attack—titled “peacenotwar”—that would save a text file with an antiwar message on a user’s computer.

Sberbank didn’t say it had fallen victim to the attack, but the bank decided to warn its clients about the threat of malicious code being “embedded in freely distributed libraries used for software development.” The bank advised its customers to either avoid updating computer programs or to manually check the source code to ensure that no malicious updates had been included.

Advocates of open-source software coding have strongly criticized protestware, and the updates to node-ipc in particular, saying it undermines trust in the open-source system. Because of how integral open-source code is to every computer system, the fallout from a protestware attack can also be unpredictable and cause massive collateral damage.

On GitHub, one user claiming to work for an American nongovernment organization alleged that the malicious node-ipc update had deleted evidence of Russian war crimes in Ukraine from its Belarus-based server. The post was later withdrawn, and no NGO has come forward to substantiate the claim.

“Protestware” is also a reminder that many open-source projects—which act as the backbone for countless computer systems—are controlled, maintained, and updated by individual programmers, rather than professional organizations. The node-ipc attack was created by the individual responsible for maintaining its code, rather than an external attack from a third party. 

“You have to trust the people that you’re getting the components from,” Brian Fox, CTO of enterprise software company Sonatype, told SC Media

Never miss a story: Follow your favorite topics and authors to get a personalized email with the journalism that matters most to you.