On 4 October Bloomberg published an article claiming that tiny microchips had been implanted in computer equipment manufactured for a US company in China, with the aim being to steal sensitive data or engage in cyber espionage activities.
The microchips were allegedly designed by the People’s Liberation Army before being placed – possibly via bribing factory managers or employees within the shipment chain – inside computer hardware equipment produced by the US company Super Micro Computer Inc. and used by huge global organisations such as Amazon and Apple, as well as by the US government.
Bloomberg’s report went on to claim that Amazon first found the microchips on motherboards three years ago, when they alerted US authorities. The discovery followed a security analysis of equipment made by SuperMicro for software company Elemental, which Amazon had just acquired. Elemental’s servers were used by the US Department of Defense and for a variety of other US intelligence and military activities. Other government customers included both houses of Congress, the Department of Homeland Security and NASA, illustrating nicely how Elemental could have been an extremely useful target for external nation state cyber espionage activities.
Amazon, Apple and SuperMicro all strongly refuted the claims contained within Bloomberg’s report.
Their denials were supported by intelligence agencies, with both the UK’s National Cyber Security Centre (NCSC) and the US Department of Homeland Security (DHS) maintaining they had no reason to doubt the assessments. Their statements did not, of course, amount to actually dismissing the report as false: rather, they demonstrated a degree of trust in the conclusions reached by the companies involved.
Bloomberg then went on to publish further evidence of their claims, this time alleging that a major (unnamed) US telecoms company had discovered “manipulated hardware” from SuperMicro in its network and removed it in August this year.
Information included in this article had been provided by a hardware security expert, Yossi Appleboum, who allowed journalists access to documents and other evidence for analysis.
In the latest update to the debate, Russia-based security company Kaspersky has published its own research into the claims. In a 14-page document obtained by MacRumours but as yet not widely available, Kaspersky is quoted as dismissing the Bloomberg allegations as “untrue”.
It added: “The stories published by Bloomberg in October 2018 had a significant impact. For Supermicro, it meant a 40% stock valuation loss. For businesses owning Supermicro hardware, this can be translated into a lot of frustration, wasted time, and resources. Considering the strong denials from Apple and Amazon, the history of inaccurate articles published by Bloomberg, including but not limited to the usage of Heartbleed by U.S. intelligence prior to the public disclosure, as well as other facts from these stories, we believe they should be taken with a grain of salt.”
Kaspersky is therefore offering a staunch defence of the denials made by the companies. Notably, it is also supporting the stance taken by the US and UK intelligence agencies, but perhaps this is not particularly surprising, given the widespread media interest which Kaspersky has attracted over the last couple of years. Allegations that it had close ties to the Kremlin were roundly denied, but did not prevent Donald Trump’s administration from banning the use of the company’s products from all US government networks: the UK government was among several that followed suit. It could, therefore, be in Kaspersky’s interests to support the statements made by the NCSC or the DHS.
Cyber espionage has been a prominent issue for many years. While the Chinese, Russians, North Koreans and Iranians are routinely accused of carrying out a broad variety of highly damaging attacks against western governments and corporations, the documents released by ex-NSA contractor Edward Snowden in 2013 highlighted the activities of the USA and other western intelligence agencies – a point always worth remembering.
Returning to the specific question of Chinese cyber espionage: in August this year, citing risks to national security, President Trump signed an order as part of the Defense Authorization Act, stipulating that components manufactured by Chinese companies Huawei and ZTE would be banned for use by the US government and government contractors; again, other governments followed the lead and implemented similar measures.
In 2015, an agreement concluded by President Barack Obama and President Xi Jinping essentially amounted to a promise from the Chinese to stop state-sponsored hacker groups from targeting and stealing commercial secrets and intellectual property from the US. However, as we noted in one of our earlier blog posts, it is possible that the Chinese government agreed to the deal to allow their state-sponsored hackers time to develop new tools for future cyber espionage operations, which would give them more opportunities to work within networks for a greater length of time without being identified. Certainly, the Chinese hacker groups are still active and may well be expanding their targeting of US government, military and corporate networks in light of Trump’s tariffs and the escalating trade war between the two countries.
But is it also possible that the Chinese acceded to those American demands in 2015 because they had a different tactic in mind, and a confidence in the success of targeting hardware in the way outlined in the Bloomberg report?
One thing is certain: it is currently not possible to signify agreement or sympathy with either side on this issue, whether that be Bloomberg, Amazon, Apple, SuperMicro, or even the US and UK government agencies: nor is there any reason to doubt Kaspersky’s assessment.
Cyjax’s CEO pointed out that a definitive conclusion about the veracity of the reports cannot be reached without full access to the evidence, and this is unlikely to be forthcoming, at least in the short-term.
He commented: “What worries me is that if this is true, then the same threat actors who are ultimately behind this scandal will also have been able to repeat the process elsewhere, like at Foxconn, who happen to build and distribute significantly more servers than SuperMicro.”