> arguably bigger than that

That’s a stretch. Stuxnet was the first acknowledged state cyber attack, utilized multiple zero days, and destroyed nuclear weapons manufacturing facilities. Bigger in scope sure, but bigger unconditionally? I don’t know about that.

From my point of view, from what we know today, it is bigger than Stuxnet because:

Stuxnet: aimed to delay one nuclear facility that was still being built

SSH pre-auth RCE: root access to most servers on the planet, impacting everyone from hobbyist self-hosters (that's me) to large businesses (of every type imaginable) to probably even some of the security agencies around the world. With SSH's track record, a lot of people choose to trust it as their internet-facing access protocol

I expect that whoever made this would have picked their targets carefully to avoid revealing the backdoor, so probably they'd aim (at least at first) at a handful of businesses of interest (advanced chip manufacturing, say) and governments, rather than causing tangible widespread issues in some way. Theoretically, though, (perhaps upon being discovered) if they'd just drop `rm -rf && poweroff` on all reachable systems (perhaps having it spread into networks in a worm-like fashion, setting a timer for 30 seconds so that it can propagate), most computer-based systems would just stop working (either killed themselves, or from failing routers or other systems they relied on), and lots of them would lose data because their backups either weren't working or were also impacted. Consider just how much involves a computer today, from infrastructure to hospitals. That's a whole lot more impact than a delayed nuclear program due to some unpublished Windows exploits

What modulates this potential impact is the question of how many important systems run something other than the OSes they were currently in the process of targeting (Debian, Ubuntu, and Fedora afaik), how many servers require a VPN (or similar) to access ssh and have no outward-facing ssh server anywhere on their network, and how many years it would have taken to uncover (more and more systems would have been running this over time)

> SSH pre-auth RCE: root access to most servers on the planet, impacting everyone from hobbyist self-hosters (that's me) to large businesses (of every type imaginable) to probably even some of the security agencies around the world.

No, absolutely not; that didn't actually happen. Most servers on the planet that are running x86_64 Linux are probably not running a rolling-release distro based on .deb or .rpm. Rolling-release (or a beta version of the next OS release) is required because I can't imagine one of them updating to a new version of a library like this until the next major release of their OS, and .deb/.rpm because those are the only build environments where the backdoor would get built into the library. (And on top of that, only systems where sshd is patched to link to libsystemd.)

Also: while I will admit that there are many businesses with abysmal security practices, most will not have ssh exposed to the public internet; that'll require access to the corporate VPN as well. You note this, but fail to recognize the impact.

Even hobbyists probably aren't hit by this in large numbers. I run a VPS for a variety of things, and it runs Debian stable. Assuming this backdoor attempt was never found, it wouldn't get installed on it until mid-/late-2025, when Debian trixie is likely to be released (plus some time for me to get around to upgrading it).

I did have the affected package on my laptop, which runs Debian testing. But I don't have sshd enabled on it all the time, and even if I did, my laptop is rarely on a network without NAT (and I usually opt to tether to my phone when in public rather than use public WiFi). All the other machines on my home network are also running Debian stable, and were unaffected.

I suspect that precious few systems even had the backdoor installed on them, and of those, even fewer were accessible directly on the public internet.

Now this could have been bigger than Stuxnet, if the backdoor had remained secret for -- and I think I'm being generous here -- another year or so.

> that didn't actually happen

See modulating factors at the bottom. In this case, it didn't because it was caught before making it into a stable release, but only due to sheer luck. The story is still so much bigger than Stuxnet to me because its aim was an actually tangible impact on millions of people's lives

> Now this could have been bigger than Stuxnet, if the backdoor had remained secret for -- and I think I'm being generous here -- another year or so.

Agreed on that! (To be clear, I still think it's already bigger, not because of the impact it concretely had but because I perceive it to having been very close; but I can understand this/your point of view very well)

It's not clear that the distribution mechanism and many of the other requirements would be so broadly met that "access to most servers on the internet" is a correct description of the scope.

Or that, once in the wild, that the author would have their pick of the litter when choosing targets. It's also true that the exploit has several kill switches in it, and so even vulnerable servers could be protected by simply setting an environment variable.

Which, honestly, makes this entire attack all the more strange. It had incredibly unclear value and longevity. It makes me wonder if the author didn't have different, parallel aims, or if this wasn't a type of practice run for a larger attack in the future.

Since they would have "their pick of the litter" why did they then include kill switches? A scary scenario is a rerun of the Viasat hack https://en.wikipedia.org/wiki/Viasat_hack I.e. wipe all servers worldwide at the morning of an attack, but before that you install the kill switches on your servers and those of your allies.

To make it harder to detect and reverse engineer. There's a plethora of disabling functionality in the exploit. This is bad, but the original post is being hyperbolic.

Depends on the set of global resources, including development, CI/CD and production systems, reachable by compromised sshd.

And that would likely be precious few, at least today. Only a teeny tiny percentage of servers out there were updated to a vulnerable version. And an even smaller percentage likely had their sshd port exposed to the public internet.

Sure, if the backdoor hadn't been found for a couple more years, the impact would have been much higher, as the backdoored version would have made it into actual current releases of the popular server distros, and companies gradually upgraded.