On Thursday, October 4, 2018, Bloomberg published an article which claimed that Chinese spies were able to gain privileged access to just under 30 major US companies. This access was granted through the spies planting tiny microchips inside motherboards used for Supermicro servers that eventually made their way inside the IT infrastructures of the major companies which included Apple and Amazon. The report shocked the public and resulted in Supermicro’s stock value plummeting by nearly 50%.
Soon after the story was published the companies supposedly involved came out with statements that strongly denied the claims made in the article. Not only did the companies question the story but many leading thinkers within the InfoSec community cast doubts upon the article's claims.
Denials and Doubts
The storm that followed Bloomberg’s article resulted in many of the supposedly affected companies from issuing statements denying the claims. Perhaps the strongest denials came from both Apple and Amazon. Amazon went on record to state,
“It's untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental [a company cited in the Bloomberg report pivotal to allegedly supplying the malicious chips}. It's also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.”
In the report published by Bloomberg, it was claimed that the Chinese People's Liberation Army (PLA) used bullish tactics to force the inclusion of illicit chips on hardware during the manufacturing process of server systems in factories. These chips could then reportedly be activated to compromise the networks of enterprise companies.
The chips were reportedly built to be as inconspicuous as possible and to mimic signal conditioning couplers. It was determined during an investigation, which took three years, that the chip allowed the attackers to create a backdoor into any network that included the altered machines. The report cited 17 unnamed sources from within the intelligence and private sectors as evidence confirming the claims.
Amazon went further in stating that the article had, “so many inaccuracies [...] that they're hard to count.” Apple further cast doubt on the claims by stating that Bloomberg’s sources “might be wrong or misinformed,” and that said sources be “confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of the labs.” Apple further stated,
“no one from Apple ever reached out to the FBI about anything like this, and we have never heard from the FBI about an investigation of this kind -- much less tried to restrict it.”
Government Agencies also deny Claims
On October 4, the company whose stock and reputation was most affected by the claims, Spermicro, did not take long to break their silence. The Taiwanese company denied the claims and further asserted that the company has “never been contacted by any government agencies either domestic or foreign regarding the alleged claims.” This dance of claim and counterclaim which inevitably will include a denial is often played out in these instances. What is more telling, however, is the response of intelligence agencies supporting the denial made by both Apple and Amazon.
In a statement to Reuters, members of the UK's National Cyber Security Centre (NCSC) at the Government Communications Headquarters (GCHQ) stated that the organization had no reason to doubt the assessments made by both Apple and Amazon. Following from statements made by the GCHQ, the US Department of Homeland Security published a similar statement on their website. The agency stated,
“The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story”
Shortly after the news of the Bloomberg article broke many within the InfoSec community voiced their concerns as to the veracity of the claims made in the article. The day after publication, Security Week published their own article were experts were given the opportunity to voice their concerns. Criticisms ranged from incorrect or poor choices made in relation to artwork that gave false impressions to readers, to the lack of technical details or the reporters' ability to convince sources to go on the record with their real names.
As to whether the claims made in the Bloomberg article are true or not they have certainly had an impact on not only Super Micro but other Chinese tech firms. In the wake of the allegations stocks in Lenovo and ZTE tumbled during trading in Hong Kong. Lenovo shares closed down 15.1 percent while ZTE lost 11 percent. Lenovo, who has headquarters in Beijing and North Carolina, is the biggest global manufacturer of personal computers and has a growing smartphone brand. For ZTE any further trading losses could be a hammer blow to the company.
ZTE faced possible bankruptcy this year after Washington imposed a seven-year ban on sales of U.S. technology to the company over its exports to Iran and North Korea. American authorities lifted the ban in July after ZTE paid a 1 billion USD fine. In a bid to continue trading the company also agreed to replace its executive team and hired U.S.-selected compliance officers.
There may also be political ramifications given the current political climate seemingly defined by a trade war between China and the US. Sanjay Beri, the CEO of Netskope, believes that,
“As economic tensions continue to escalate between nation states and the US, organizations -- especially those operating in high-risk sectors such as energy, manufacturing, government, etc. -- need to remain watchful and on high-alert in order to ensure their sensitive data is protected and inaccessible to foreign entities. Given the nature of this attack was at the hardware level, there are bound to be even more complex ramifications of those affected, as these types of breaches are far less simple to rectify than those at the software level.”