The tech world is reeling from the revelation that Chinese spies may have managed to compromise national security by slipping a hardware backdoor into servers used by United States intelligence agencies, the U.S. military and some of the world’s biggest companies. This supply chain attack appears to have originated at several manufacturing plants in China and Taiwan, where the vulnerability was installed before being shipped to customers.
Bloomberg reports the attack consisted of a tiny microchip attached to a number of motherboards made by Super Micro Computer, a San Jose-based company (with manufacturing facilities in China) and industry leader that supplies a broad range of server manufacturers. The compromised motherboards made their way to servers used in the Department of Defense, the Central Intelligence Agency and Navy warships as well as by private companies such as Amazon and Apple.
It’s important to note at this point that the story is not yet entirely confirmed. The Bloomberg report is based on the accounts of six current and former senior national security officials, who have opted to come forward as anonymous sources. The sources claim that a government investigation into the matter began in 2015 under the Obama administration, after Amazon discovered the suspect microchips during an internal security audit and notified authorities. The officials claim they served as part of the investigation under both the Obama and Trump administrations and that it is still currently active.
Amazon and Apple issued immediate denials after the Bloomberg report came out. Amazon claims they never had any knowledge of the chips allegedly planted by Chinese spies, and that their internal security audits of the board revealed only unrelated potential vulnerabilities that they patched out. Apple claimed that Bloomberg contacted them multiple times about the possibility of these chips being in their servers, but that they had no knowledge of them and that their internal audits of Super Micro servers turned up no vulnerabilities.
So who is telling the truth? Amazon and Apple both have clear financial motivations to deny what is currently an anonymous and unconfirmed report regardless of where the truth might lie. They don’t want any part of what has happened to Super Micro, which saw its share value nearly halved after the report came out even though the company has denied knowledge of the malicious chips or any investigation into an attack by Chinese spies.
Leading security experts have been cautious in their analysis so far, noting that there are strong points on both sides. As Andrea Barisani, head of hardware security at F-Secure sums it up: “If anything, there are only official denials on the story and the lack of technical details doesn’t really favor the conclusions from a technical standpoint. It is certainly possible to mount supply chain attacks that can affect the security of COTS (Commercial Off-The-Shelf) hardware, albeit posing notable implementation difficulties.”
Then there are others that believe such scenarios are not entirely implausible. Anthony James, vice president at CipherCloud and former CMO at TrapX, whose researchers previously discovered the Chinese-generated Zombie Zero nation‐state sponsored Zero Day attack, said, “The accusation that the Chinese are embedding malware and surveillance into standard devices is quite real and based on facts. In 2014 an embedded malware named “Zombie Zero” targeted the shipping and logistics industry. The weaponized malware was delivered into enterprise shipping and logistics environments by a Chinese manufacturer that sold proprietary hardware for terminal scanners (barcode readers) used to inventory items for shipment. The malware was delivered through the Windows embedded XP operating system pre-installed on the hardware at the manufacturer’s location in China. The embedded malware would send information back via a botnet that terminated at the Lanxiang Vocational School purportedly located in the Shangdong province in China.
“The school was tied to the nefarious Operation Aurora cyber-espionage campaign that hit Google, Adobe, Intel, and many other major US firms a few years earlier. Not-so-amazingly this cyber espionage group was located about one block from the inventory scanner manufacturer in question. So you would buy a new barcode scanner from this manufacturer and magically get a dose of this pre-installed weaponized malware courtesy of Lanxiang Vocational School, a repeat offender proxy for the Chinese government cyber activity.
“These belligerent nation states are attacking our manufacturers and our supply chain. Nation state-sponsored attacks against the west are ramping up – neither enterprise nor municipal government has the capacity to deal with this type of attack. Respectfully submitted, that may include Amazon, Apple, and other companies that may not have the resources or funds allocated to detecting and eliminating such a sophisticated threat.”