Case Study: The 2023 GitHub Code Signing Certificate Theft 

Code signing certificates are critical for ensuring the authenticity and integrity of software. Still, their theft can enable cybercriminals to distribute malicious code under the guise of legitimacy, provided they also compromise the associated private keys, as the compromise of their associated private keys truly enables malicious signing. These certificates are attractive targets for attackers because they carry the trust of reputable organizations, allowing signed malware to bypass security checks on systems like Windows and macOS.  

On January 31, 2023, GitHub, a leading code hosting platform, reported a significant security breach where attackers stole three encrypted code signing certificates. This incident highlighted the vulnerabilities in even the most robust software development ecosystems and the devastating potential of stolen certificates. 

With this blog, we will discover the GitHub breach, exploring the challenges they faced, the impact of the theft, and how it could have been prevented.  

Company Overview

Microsoft owns GitHub, the world’s largest platform for version control and collaborative software development, hosting over 100 million repositories and serving more than 94 million developers as of 2023. Based in San Francisco, GitHub provides tools for code hosting, version control, and continuous integration/continuous deployment (CI/CD) pipelines, supporting millions of open-source and enterprise projects. These CI/CD and DevOps integrations, while powerful, also present potential attack surfaces that cyber actors can exploit to compromise the software supply chain. 

The platform’s critical role in the global software ecosystem makes it a high-value target for attackers seeking to exploit trusted certificates for malicious purposes. GitHub acts as a crucial link in the software trust chain, where its certificates vouch for the legitimacy of the software distributed through its platform. This pivotal position makes it an exceptionally attractive target for attackers, as compromising GitHub’s certificates could allow them to inject malicious code into a vast array of trusted software, effectively undermining the very foundation of software security for millions of users. 

Nature and Timeline of the Breach

The breach was facilitated by a compromised Personal Access Token (PAT), which granted the attackers unauthorized access. It is a password-like field associated with a machine account designed for automated tools and scripts to interact with GitHub. The PAT was likely exploited due to inadequate security measures, though the exact method of compromise remains unclear. Attackers had access for about one day before the intrusion was detected. The stolen certificates included: 

• One Apple Developer ID certificate, valid until 2027. 

• Two DigiCert-issued certificates, with expiry dates of January 4, 2023, and February 1, 2023, respectively. 

Importantly, all stolen certificates were encrypted and password-protected; there was no evidence that the attackers decrypted or used them maliciously. This encryption likely mitigated immediate risks, but the potential for abuse remained a significant concern. 

The incident unfolded as follows: 

• December 6, 2022: Attackers used the compromised PAT to clone repositories, including those containing the code signing certificates. 

• December 7, 2022: GitHub detected the unauthorized access and immediately revoked the compromised PAT, halting further access. 

• January 31, 2023: GitHub publicly disclosed the incident via a blog post, revealing the theft and outlining response measures. 

• February 2, 2023: As a precautionary measure, GitHub revoked the three stolen certificates immediately. 

The fact that the attackers got and maintained unauthorized access before detection indicates a potential gap in GitHub’s real-time monitoring and alerting systems for suspicious activities associated with machine accounts and PATs. While GitHub acted swiftly once the access was identified, this period of undetected access underscores the critical importance of strong anomaly detection and continuous security monitoring, especially for a critical infrastructure environment like GitHub. 

Challenges

The GitHub code signing certificate brought about several important challenges: 

1. Unauthorized Access to Certificates

   On December 6, 2022, attackers gained unauthorized access to select GitHub repositories, stealing three encrypted code signing certificates: one Apple Developer ID certificate and two DigiCert-issued certificates. Although the certificates were password-protected, their theft exposed the risk of attackers attempting to decrypt and misuse them to sign malicious code.

2. Delayed Detection

   The breach went undetected until December 7, 2022, when GitHub identified suspicious activity. This delay allowed attackers to exfiltrate the certificates, highlighting the challenge of real-time monitoring in complex development environments.

3. Certificate Management Vulnerabilities

   The incident revealed weaknesses in certificate storage and access controls. Proper RBAC ensures that accounts, like the one compromised, only have the minimum necessary permissions to perform their designated tasks, preventing broad access to sensitive assets like code signing certificates.

   While the certificates were encrypted, they were stored in repositories accessible to the attackers, suggesting insufficient use of secure storage solutions like Hardware Security Modules (HSMs), as they are purpose-built cryptographic devices that store cryptographic keys in a tamper-resistant environment, ensuring the keys never leave the device, even during signing operations. GitHub’s investigation confirmed no malicious use occurred, but the potential for abuse remained a concern.

4. Revocation and Response Complexity

   Revoking the stolen certificates required coordination with Certificate Authorities (CAs) like DigiCert and Apple, a process that was time-consuming and disrupted GitHub’s operations. The Apple Developer ID certificate, valid until 2027, posed a particular challenge, requiring Apple to monitor for misuse of signed executables. Such revocation processes can be very complex and time-consuming; therefore, using automated solutions could significantly streamline the detection of compromised certificates, accelerate the revocation process, and minimize the operational disruption caused by such incidents.

These challenges highlight some bigger issues in the industry, where poor certificate management and insufficient security measures can leave organizations facing considerable risks. 

Impact

The theft of GitHub’s code signing certificates had far-reaching implications, even though no malicious use was confirmed: 

1. Potential for Malware Distribution

   Had the attackers decrypted the stolen certificates, they could have signed malicious software, bypassing security checks on Windows and macOS systems. According to the IBM Cost of Data Breach report of 2024, the average global cost of a data breach is around USD 4.9 million, reflecting the potential severity of such attacks.

2. Reputational Damage

   GitHub’s reputation as a trusted platform was at risk, as the breach could have eroded confidence among its 94 million users. A research study notes that malware attacks enabled by stolen certificates can significantly harm an organization’s credibility, potentially leading to lost business.

3. Operational Disruption

   GitHub’s response involved revoking the stolen certificates on February 2, 2023, and issuing new ones, which disrupted development workflows.

4. Regulatory and Compliance Risks

   The breach raised concerns about compliance with standards like GDPR and CA/B Forum requirements, as stolen certificates could lead to data breaches if misused.

5. Industry-Wide Concerns

   The incident underscored the growing threat of code signing certificate thefts, with a 742% increase in supply chain attacks reported by a study in recent years. It prompted renewed focus on securing private keys and certificates across the software industry. Beyond the technical implications, such breaches can severely erode developer trust in platforms like GitHub, as they directly impact the confidence that users place in such tools and platforms, which they rely on daily.

   Furthermore, the incident had an indirect but significant impact on the vast community of open-source contributors, who depend on GitHub’s integrity as the foundation for their collaborative work and the distribution of their projects.

The breach’s potential to allow widespread malware distribution really emphasizes how crucial it is to have strong certificate protection measures in place. The revocation of the certificates had direct implications for users of affected applications: 

• GitHub Desktop for Mac: Versions 3.0.2 to 3.1.2 were invalidated, as these were signed with the compromised certificates. Users were advised to update to the latest version, released on January 4, 2023, which included new certificates. 
• Atom: Versions 1.63.0 and 1.63.1 were also invalidated, and these versions were removed from the releases page. Users were instructed to downgrade to version 1.60.0, noting that Atom had been officially discontinued in December 2022. 
• Unaffected Applications: GitHub Desktop for Windows was not impacted, as it used different signing mechanisms. 

How Could Encryption Consulting Help Prevent It?

Encryption Consulting’s CodeSign Secure solution offers comprehensive tools to prevent incidents like the GitHub certificate theft. Here’s how it could have mitigated the risks: 

1. Secure Key Storage with HSMs

   Instead of relying on potentially vulnerable repository storage, CodeSign Secure leverages FIPS 140-2 Level 3-compliant Hardware Security Modules (HSMs). This is crucial because HSMs provide an isolated, tamper-resistant environment where private keys are generated and used, ensuring they never leave the device.

   For GitHub code signing certificate theft, this would have meant that even if attackers gained access to repositories containing encrypted certificates, the corresponding private keys, essential for actual signing, would have remained secure and utterly inaccessible within the HSMs.

2. Custom Key Storage Provider (KSP)

   Encryption Consulting’s proprietary KSP enables client-side hashing, where the cryptographic hash of the code is computed locally without exposing the private key to the user or application. It helps ensure that signing operations occur securely within the HSM, eliminating the risk of private key exposure, even if certificates are stolen.

3. Automated Signing and Auditing

   Manual signing processes are prone to errors and provide less visibility. CodeSign Secure automates the signing process directly within CI/CD pipelines, ensuring only authorized code is signed consistently. More importantly, comprehensive audit trails are generated for every signing operation, which would have enabled GitHub to detect unauthorized access in real-time, potentially stopping the theft before it occurred.

4. Access Control and Monitoring

   CodeSign Secure implements strict, role-based access controls, ensuring that only authorized individuals and automated processes can initiate signing operations. Furthermore, its integration with Security Information and Event Management (SIEM) systems like Splunk enables centralized, real-time monitoring and alerting.

5. Compliance with Industry Standards

   Our CodeSign Secure solution will also help you ensure compliance with CA/B Forum and GDPR requirements and help your organization maintain secure certificate and signing practices.

Conclusion

The 2023 GitHub code signing certificate theft serves as an important reminder of the vulnerabilities in software development ecosystems. The theft of three encrypted certificates exposed significant risks, with potential costs and damages to the organization. GitHub’s response mitigated immediate harm, but the breach underscored the need for stronger certificate security. 

Encryption Consulting’s CodeSign Secure, with HSM-based storage, automated signing, and robust monitoring, offers a proactive defense against such threats. As cybercriminals target code signing certificates, organizations must prioritize secure key management to protect their software, users, and reputation, as securing the software supply chain is not solely the responsibility of individual companies but a shared industry imperative, demanding collaborative efforts and best practice adoption to uphold digital trust.