The tech world is reeling from the revelation that Chinese spies may have managed to compromise national security by slipping a hardware backdoor into servers used by United States intelligence agencies, the U.S. military and some of the world’s biggest companies. This supply chain attack appears to have originated at several manufacturing plants in China and Taiwan, where the vulnerability was installed before being shipped to customers.
Bloomberg reports the attack consisted of a tiny microchip attached to a number of motherboards made by Super Micro Computer, a San Jose-based company (with manufacturing facilities in China) and industry leader that supplies a broad range of server manufacturers. The compromised motherboards made their way to servers used in the Department of Defense, the Central Intelligence Agency and Navy warships as well as by private companies such as Amazon and Apple.
It’s important to note at this point that the story is not yet entirely confirmed. The Bloomberg report is based on the accounts of six current and former senior national security officials, who have opted to come forward as anonymous sources. The sources claim that a government investigation into the matter began in 2015 under the Obama administration, after Amazon discovered the suspect microchips during an internal security audit and notified authorities. The officials claim they served as part of the investigation under both the Obama and Trump administrations and that it is still currently active.
Amazon and Apple issued immediate denials after the Bloomberg report came out. Amazon claims they never had any knowledge of the chips allegedly planted by Chinese spies, and that their internal security audits of the board revealed only unrelated potential vulnerabilities that they patched out. Apple claimed that Bloomberg contacted them multiple times about the possibility of these chips being in their servers, but that they had no knowledge of them and that their internal audits of Super Micro servers turned up no vulnerabilities.
So who is telling the truth? Amazon and Apple both have clear financial motivations to deny what is currently an anonymous and unconfirmed report regardless of where the truth might lie. They don’t want any part of what has happened to Super Micro, which saw its share value nearly halved after the report came out even though the company has denied knowledge of the malicious chips or any investigation into an attack by Chinese spies.
Leading security experts have been cautious in their analysis so far, noting that there are strong points on both sides. As Andrea Barisani, head of hardware security at F-Secure sums it up: “If anything, there are only official denials on the story and the lack of technical details doesn’t really favor the conclusions from a technical standpoint. It is certainly possible to mount supply chain attacks that can affect the security of COTS (Commercial Off-The-Shelf) hardware, albeit posing notable implementation difficulties.”
Then there are others that believe such scenarios are not entirely implausible. Anthony James, vice president at CipherCloud and former CMO at TrapX, whose researchers previously discovered the Chinese-generated Zombie Zero nation‐state sponsored Zero Day attack, said, “The accusation that the Chinese are embedding malware and surveillance into standard devices is quite real and based on facts. In 2014 an embedded malware named “Zombie Zero” targeted the shipping and logistics industry. The weaponized malware was delivered into enterprise shipping and logistics environments by a Chinese manufacturer that sold proprietary hardware for terminal scanners (barcode readers) used to inventory items for shipment. The malware was delivered through the Windows embedded XP operating system pre-installed on the hardware at the manufacturer’s location in China. The embedded malware would send information back via a botnet that terminated at the Lanxiang Vocational School purportedly located in the Shangdong province in China.
“The school was tied to the nefarious Operation Aurora cyber-espionage campaign that hit Google, Adobe, Intel, and many other major US firms a few years earlier. Not-so-amazingly this cyber espionage group was located about one block from the inventory scanner manufacturer in question. So you would buy a new barcode scanner from this manufacturer and magically get a dose of this pre-installed weaponized malware courtesy of Lanxiang Vocational School, a repeat offender proxy for the Chinese government cyber activity.
“These belligerent nation states are attacking our manufacturers and our supply chain. Nation state-sponsored attacks against the west are ramping up – neither enterprise nor municipal government has the capacity to deal with this type of attack. Respectfully submitted, that may include Amazon, Apple, and other companies that may not have the resources or funds allocated to detecting and eliminating such a sophisticated threat.”
Supply chain attack 101: Installing the backdoor
The ideal backdoor is one inserted at the hardware level. These types of attacks are extremely difficult to detect, as they are beyond the reach of most standard software-based security analysis. They also make it possible for encryption to be bypassed. It’s equally difficult to get this done, however, as it requires access to the hardware during the manufacturing process. The would-be saboteur also has to have enough control over the supply chain network to ensure that their compromised boards end up in the hands of the intended target.
Thus, the only realistic deployment of a hardware backdoor would be by a national government with advanced intelligence apparatus. We’ve seen the world’s major powers put pressure on hardware manufacturers to include backdoors for law enforcement use, but active deployment of a hardware backdoor in order to execute a supply chain attack in another country is an entirely new ballgame.
China is uniquely positioned among the major powers to deploy such an attack, as the vast majority of the world’s computer and phone motherboards are manufactured within its borders. Chinese spies had attempted this sort of thing on a smaller scale before, but the Super Micro attack would be the first to simultaneously compromise multiple high-level targets outside of their territory by navigating a foreign supply chain.
The Bloomberg story claims that the grain-sized microchip was inserted by Chinese spies at Super Micro factories that manufacture the fundamental components of their servers. Working backwards through supply chain records, U.S. investigators learned that the suspect microchips had been inserted at four factories in Shanghai and Taiwan that Super Micro subcontracted with to process overflow orders. Investigators believe that Chinese intelligence operatives approached the plant managers or lower-level employees involved with the motherboard design. Bribes and threats were used by the Chinese spies to gain access to the motherboards at the factory, and presumably to ensure that the servers the boards wound up in were routed to the intended recipients.
Is my company vulnerable to Chinese spies?
If the Bloomberg reporting is accurate, investigators ultimately concluded that only about 30 organizations worldwide were targeted. These were all extremely high profile and high value targets; American intelligence agencies, military operations and data processing behemoths like Apple and Amazon. It is highly unlikely there was any interest in companies outside of the upper reaches of the Fortune 500’s financial institutions and tech giants, or those with useful information on confidential American government operations.
There is some concern about potential data breaches at Amazon’s AWS servers and Apple cloud data operations during these supply chain attacks, however. But at this point, it’s impossible to identify what specific data may have been compromised.
Supply chain security takeaways
More details are needed to confirm both the accuracy of Bloomberg’s reporting and the full scope of what may have been exposed to Chinese intelligence. The story should serve as a prompt for many companies to re-evaluate certain underlooked areas of their security policy, however.
First, it underscores the need to anticipate supply chain attacks as a very real possibility. Companies need to take into consideration that the internal infrastructure of their vendors could become compromised. For most companies, this is going to be a matter of careful sourcing more than anything else. There has been a recent trend of tech manufacturing migration out of China to various destinations in Southeast Asia due to tariffs increasing costs (among other factors), creating a broader array of similarly-priced competition. China will still likely remain the world’s biggest and most cost-effective manufacturer (due to its position as the world’s biggest market) for many years, but companies will have to weigh the value of rock-bottom pricing against the potential cost of compromise at the hardware level.
Supply chain attacks can come from places other than factories, however. Many intelligence agencies already engage in the practice of “interdiction”, or intercepting hardware in transit. Attackers can also compromise the supply chain entirely through software, for example gaining access to software update servers or obtaining documents that have been improperly secured on a vendor’s servers. These attacks are not only the province of governments, but of independent operators looking to commit economic espionage. Again, the solution to this mostly comes down to careful sourcing; companies will need to invest some time and resources in evaluating the security policies of all of their vendors.
Companies will also need to carefully evaluate exactly what they are storing with third-party cloud-based vendors, and how necessary it really is for this data to be on external servers. The hardware sourcing of vendors will need to be examined in the same way that the company examines its own hardware sourcing; the possibility of a vendor sourcing from a country where a hardware backdoor might be installed is now a real possibility to take into account.