Originally Posted by
DYKWIA
It's quite easy for somebody with the appropriate server access to just modify the script with a text editor. I could have done this at a number of clients (if I had the JS skills and the inclination). A lot of companies are quite lax in who they give root access to, so it can be difficult to see who made the change.
I agree this is eminently plausible.
Again, assuming that the tampering was done internally, it may not necessarily have been directly modified by the person who deployed it. In large organisations, the person doing the deployment is unlikely have knowledge of the nuts and bolts of what they're deploying as part of a change. Indeed, none of the half dozen or so signatories authorising the average change will have any clue of the detail.
If it was indeed a scheduled change, it will likely have gone through a functional test cycle, and in my experience nowadays full regression and non-functional testing such as pen testing isn't done on every release. Today's fashion is heading towards CI/CD and DevOps which promote very frequent incremental pushes to production. Full regression and security testing aren't generally considered to be compatible with such regimes. Essentially, the business accepts the increased risk of unforeseen problems in return for accelerated delivery.
Without any evidence of anything to the contrary, it does sound like the file modification was either an inside job, or, dodgy code was supplied by an outsourced software supplier.
Then there's always the coincidence that their entire cyber security team was placed under consultation at the beginning of August, with the function to be outsourced to IBM.