A story over a year in the making came out earlier this month and has shaken the technology world to its core. In their report, Bloomberg Businessweek have claimed that 17 unnamed sources have confirmed an extreme “supply chain attack” conducted by China that has affected around 30 companies worldwide.
The attack involved the placement of tiny microchips designed to look like signal conditioning couplers into data centre server motherboards that are manufactured by sub-contractors in China by a company known as Super Micro. These microchips contain enough memory and processing power to backdoor the host systems and allow outside agents to remotely intercept, access and exfiltrate information. The report claims the malicious chips are as small as a sharpened pencil tip and were made to look like other, legitimate components one would expect to see in a circuit board. It is alleged that these chips were secretly added by a special unit of the Chinese People’s Liberation Army after they pressured, bribed or threatened factory workers and managers.
The company at the heart of this alleged attack is Super Micro. It is a technology supply chain firm located in the US but manufacturing in China, often described as the Microsoft of the hardware world. The report claimed large technology companies were cooperating with the US government’s investigation into the firm, but Super Micro has denied any knowledge of such.
Two major companies have been specifically targeted by these allegations: Apple and Amazon. However, the report claims that around 30 companies have been hit along with US government agencies such as NASA, the Department of Homeland Security and the House of Congress.
The report held that Beijing was likely behind such a sophisticated, malicious attack. However, China is yet to directly deny the report, instead ambiguously stating that “China is a resolute defender of cybersecurity. It advocates for the international community to work together on tackling cybersecurity threats through dialogue on the basis of mutual respect, equality and mutual benefit.”
In the other court is the vehement denial by Amazon and Apple. A post “setting the record straight” was made by Amazon the same day the report was released, claiming that “there are so many inaccuracies in this article as it relates to Amazon that they’re hard to count”. Amazon went on to deny ever working with the US government or knowing about any supply chain compromise, malicious chips or hardware modifications.
Having claimed Apple discovered the chips on its servers in May 2015, the tech giant felt obliged to belittle the report, labelling it as wrong or misinformed and stating they were “deeply disappointed” in Bloomberg’s dealings with them. The claim was that Apple had 7,000 Super Micro servers operating inside their company, all of which were later quietly removed once the chips were discovered. Indeed, in 2016 over the course of a few weeks Apple stopped purchasing Super Micro products altogether. However, Apple claims this decision was made due to a malware incident in 2015 that was entirely unrelated to the allegations made by Bloomberg.
Ignoring, for a second, the back-and-forth argument between these companies, many security experts have been vociferously questioning the plausibility of such a plan. Joe Grand, a hardware hacker and founder of Grand Idea Studio Inc, stated that “having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow”. The implementation of a plan exploiting hardware in specific systems seems, by all accounts, extremely difficult. There are countless opportunities for private security experts or authorities to uncover the scheme. Not to mention the expectation that the companies themselves would have systems in place that can detect unexpected network traffic and operating system states, with alarms being set off by any unwanted access or chatter.
However the head of the Australian Strategic Policy Institute’s (ASPI) International Cyber Policy Centre, Fergus Hanson, points out that the allegations are unsurprising as China has access to, and control of, many essential parts of the global manufacturing supply chain. He states it is “logical” that the Chinese government would try use this to their advantage. In support, InfoSec expert Jake Williams stated that it was “technically plausible” and a likely method.
Other experts have approached the question more cautiously, such as F-Secure’s head of hardware security Andrea Barisani who stated that the “lack of technical details don’t really favour the conclusions from a technical standpoint”. Echoing a similar rhetoric is Joseph Carson, Chief Scientist at Thycotic, analysing the many questions raised by the report and finding that “no-one is on board with agreeing to the incident”.
If there is one thing experts and officials can agree on however, it is that if the report is accurate then it would be a cyber-incident of historic proportions with enduring and extensive ramifications. “It is as serious as you get”, says Carson.
While some have busied themselves with looking at the technical aspect of this report, others have looked to the possible political motivations behind it.
The report comes after Trumps’ administration placed tariffs on the importation of technology components from China. These tariffs could go up to 25pc on $200 billion worth of Chinese-made computer hardware imports into America. The rapidly escalating trade war has heightened tensions between the two countries and added to other disputes such as American military assistance to Taiwan and contestation over the South China Sea. Other technical controversies have emerged recently, such as the Hikvision security camera spying allegations and subsequent American ban.
This has led many to speculate that the Bloomberg sources may be pushing a narrative as part of America’s agenda against China. Interestingly, the report claims to have sources dating back to the Obama administration when times were less tumultuous, and other sources have come from private, global companies with little interest in America’s political agenda.
Others point to the increasing amount of subcontracting American companies have been engaging in, moving manufacturing to firms in China and opening up the temptation and likelihood of such security breaches. It is a “classic Satan’s bargain” according to one US official interviewed by Bloomberg, explaining that companies must choose between less supply but a greater security guarantee, or the supply they need at a greater risk.
Considering this, it seems pretty likely that a country with a significant monopoly on the supply chains and manufacturing of electronic technologies would be tempted to leverage that reality for their own benefit. Particularly when locked in an intense political standoff with one of the world’s largest economies.
At the same time, Apple and Amazon will have a lot of explaining to do if they are found to have been making false statements of innocence, particularly considering the market and regulatory ramifications they would be facing. These companies made unambiguous and vehement denials against Bloomberg’s report, and there would be no talking their way out of a lie like that. There is a lot at stake for these companies, and their outright rejection of the allegations speaks volumes.
So, what does this all mean in the end? Basically, no one can prove beyond doubt that the report is wrong. While it may be extremely difficult and unlikely, it is not impossible. There is likely to be thorough investigation and a continuous stream of allegations being thrown around for many months, perhaps years, to come.
In the meantime, there have been several observations made since the report was released. Firstly, Super Micro’s shares dropped by nearly 50%, while Apple’s share price dropped just under 2% and Amazon’s by more than 2%.
For Australia, it has been identified that at least two Australian government agencies had hardware contracts with Super Micro, these being the Department of Defence and the Bureau of Meteorology. Considering this, Australia’s response may be similar to America’s, likely bringing further bans and distrust towards Chinese companies.
Finally, many experts are pointing to the supply chain implications. Hanson explains that it speaks to a broader challenge, a need to “start looking at sensitive supply chains much more closely”. The report exposes the growing global concern about the security of technology supply chains. It highlights the reliance on smartphones, servers and computer parts that, because of extreme consumer demand, are being manufactured in a way that sacrifices security for convenience and costs. Supply chain concerns represent an enormous threat to enterprises, Chairman of Athenahealth Jeff Immelt explains. However, it also threatens the consumers, those that have little say in what compromises are being made on their personal information. While it may have been done so in an overtly dramatic and political way, this report has at the very least laid bare the issues being swept under the rug by big corporations and governments, issues that have serious and widespread ramifications.