In October, Bloomberg Businessweek published an alarming story: Operatives working for China’s People’s Liberation Army had secretly implanted microchips into motherboards made in China and sold by U.S.-based Supermicro. This allegedly gave Chinese spies clandestine access to servers belonging to over 30 American companies, including Apple, Amazon, and various government suppliers, in an operation known as a “supply chain attack,” in which malicious hardware or software is inserted into products before they are shipped to surveillance targets. Bloomberg’s report, based on 17 anonymous sources, including “six current and former senior national security officials,” began to crumble soon after publication as key parties issued swift and unequivocal denials. Apple said that “there is no truth” to the claim that it discovered malicious chips in its servers. Amazon said the Bloomberg report had “so many inaccuracies … as it relates to Amazon that they’re hard to count.” Supermicro stated it never heard from customers about any malicious chips or found any, including in an audit it hired another company to conduct. Spokespeople for the Department of Homeland Security and the U.K.’s National Cyber Security Centre said they saw no reason to doubt the companies’ denials. Two named sources in the story have publicly stated that they’re skeptical of its conclusions.
But while Bloomberg’s story may well be completely (or partly) wrong, the danger of China compromising hardware supply chains is very real, judging from classified intelligence documents. U.S. spy agencies were warned about the threat in stark terms nearly a decade ago and even assessed that China was adept at corrupting the software bundled closest to a computer’s hardware at the factory, threatening some of the U.S. government’s most sensitive machines, according to documents provided by National Security Agency whistleblower Edward Snowden. The documents also detail how the U.S. and its allies have themselves systematically targeted and subverted tech supply chains, with the NSA conducting its own such operations, including in China, in partnership with the CIA and other intelligence agencies. The documents also disclose supply chain operations by German and French intelligence.
What’s clear is that supply chain attacks are a well-established, if underappreciated, method of surveillance — and much work remains to be done to secure computing devices from this type of compromise.
“An increasing number of actors are seeking the capability to target … supply chains and other components of the U.S. information infrastructure,” the intelligence community stated in a secret 2009 report. “Intelligence reporting provides only limited information on efforts to compromise supply chains, in large part because we do not have the access or technology in place necessary for reliable detection of such operations.”
Full Article: The Messy Truth About Infiltrating Computer Supply Chains.