Did the Most Significant Supply Chain Attack Against America Occur?
Did the Most Significant Supply Chain Attack Against America Occur?
Want to learn more about the alleged microchip being found on hardware devices used by Apple, Amazon, and many others? Click here for the details.
Join the DZone community and get the full member experience.Join For Free
Never a day goes by without a report of cybersecurity vulnerabilities, hacking, or ransomware. A piece of investigative journalism by Bloomberg hit the news last week, alleging that operatives from a unit of the People’s Liberation Army in China have been inserting tiny microchips into computer servers. Not any computer servers, but those used by companies, including Apple and Amazon, that gives China unprecedented backdoor access to computers and data. The tiny chips, as small as the tip of a sharpened pencil and designed to be undetectable without specialist equipment, were allegedly implanted on to the motherboards of servers on the production line in China being made for Supermicro, a company termed the Microsoft of hardware. The report claimed that the hardware then found its way into the data centers and operations of 30 companies, including Apple, Amazon, banks, hedge funds, and government contractors. Bloomberg called the attack:
"The most significant supply chain attack known to have been carried out against American companies."
Quick to React and Deny
Notably, each company mentioned in the article (Supermicro, Apple, Amazon and Elemental) has issued strong statements denying the claims. Apple stated: “We are deeply disappointed that in their dealings with us. Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Supermicro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple."
Steve Schmidt, Chief Information Security Officer at Amazon Web Services stated, "As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems."
In a statement on their website, Supermicro asserted that they have never been contacted by any government agencies, either domestic or foreign, regarding the alleged claims, adding further:
"Supermicro takes all security claims very seriously and makes continuous investments in the security capabilities of their products. The manufacture of motherboards in China is not unique to Supermicro and is a standard industry practice. Nearly all systems providers use the same contract manufacturers. Supermicro qualifies and certifies every contract manufacturer and routinely inspects their facilities and processes closely."
Is it True?
With a series of journalists and unnamed investigators saying one thing and the alleged victims saying another, I was interested to get some perspective for those working in cybersecurity who know far more than me. I reached out to a number of people working in the space. According to cybersecurity educator and Senior Technical Account Manager at Red Hat, Greg Scott:
"To my knowledge, we don't have any samples of corrupted motherboards or the tiny chips in question. All we have for evidence is the Bloomberg report, and the anonymous sources the reporter used."
This poses the following questions:
- The portion of the story that describes how this chip somehow modifies operating system parameters is not credible.
- How does this chip know which versions of what operating systems are installed?
- What happens when system administrators apply patches?
- And, how do they cram that much intelligence onto such a teeny tiny chip and also keep it updated for new software releases? The specific attack he describes doesn't make sense, and I'm surprised the reporter didn't think it through and then do more homework."
This skepticism was also shared by Shane MacDougall, Senior Security Engineer at Mosaic451:
"By all accounts, it sounds like a misunderstanding by the reporters, as all those involved seem to be vehemently denying the story. That said, I have to disagree with a lot of people who are downplaying the story because of its practicality, saying that intercepting the logistics chain would make this sort of attack extremely difficult. That's frankly just not true. However, if indeed the story is accurate, then we have a serious, almost existential, issue from a security point of view. If you can't trust the environment your core processes are running in, then indeed we have a problem."
Why Attack in the First Place?
Nation-state hackers are usually looking for industrial or government secrets. If the hackers knew who some of Supermicro's clients were, then the insertion of the chips on those servers would have been purposeful in acquiring those secrets. According to Gregory Kelley of Vestige Digital Investigations, "The aim of the attack could have been a proof of concept scenario where the hackers wanted to see if it would succeed, for how long, and how they may have become uncovered in order to improve their skills for a more successful attack in the future."
However are the wins elicited by such an attack larger than its impact on the Chinese economy who make most of the world's hardware? As Shane MacDougall explained to me: "the Chinese government must understand that if it were to be found doing this, it would absolutely crush their electronics market, which is one of the main drivers of their economy."
What Happens Now?
So we have an attack that may or may not have occurred depending on what you read and who you believe. Can such an attack be prevented? According to Dennis Chow of SCIS Security, "Prevention of such attacks is extremely difficult for a number of reasons:
- Practicality from economies of scale; who honestly builds the entire stack of all parts and software of a server from the ground up? Almost no one.
- Even if you did, there's no guarantee an insider threat wouldn't be adding software code or other embedded malware built-in from your own design team.
- Who would be overseeing all aspects of the ground up build out? It would be daunting to properly inspect the code of all chips and embedded hardware on any system. "
There are a lot of unanswerable questions in this story. We do not know what absolute certainty what happened. It is highly likely we will never know - no company wants to have it on record that their products are grievously insecure. We do not know if there have been similar unreported attacks. But what we do know if that cybersecurity requires vigilance and a level of constantly evolving knowledge if any future attacks are to be prevented.
Opinions expressed by DZone contributors are their own.