China’s intelligence services ‘ordered subcontractors to plant malicious chips’ and Supermicro server motherboards are only the tip of the iceberg. ‘It could be anything coming out of China.’
Fresh evidence of sabotaged Supermicro network servers indicates that at least one of the giant telecom networks has been infected. Last week the public learned that “China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.” Now, security expert Yossi Appleboum reports independent confirmation.
“There is no way for us to identify the gravity or the size of these exploits,” Tony Lawrence, another security expert warns. “We don’t know until we find some. It could be all over the place, it could be anything coming out of China.” The CEO of VOR Technology is worried. “The unknown is what gets you and that’s where we are now. We don’t know the level of exploits within our own systems.”
Appleboum provided “documents, analysis and other evidence” of his discovery to Bloomberg Businessweek after seeing their expose. What he ferreted out, and turned over to the “major U.S. telecommunications company” who hired him, was “manipulated hardware from Super Micro Computer Inc.” that was active in its network.
The gizmos that Appleboum detected and removed in August are different from the chip hijacks revealed last week, “but it shares key characteristics,” Bloomberg notes. “They’re both designed to give attackers invisible access to data on a computer network in which the server is installed.” Also, “the alterations were found to have been made at the factory, as the motherboard was being produced by a Supermicro subcontractor in China.”
Appleboum has some serious credentials. Formerly with the technology unit of the Israeli Army Intelligence Corps, he is now a chief executive of Sepio Systems, which specializes in hardware security. He was hired in August to “scan several large data centers.”
He signed a nondisclosure agreement so isn’t saying which company hired him. He found the breach when his equipment detected “unusual communications from a Supermicro server.”
When he accompanied company technicians on a physical inspection, he discovered “an implant built into the server’s Ethernet connector.” That is the jack that a standard network cable, like the one from your modem to your computer, attaches to.
Appleboum has seen these gadgets so often he calls them his “old friend.” The NSA used to use them and details “were leaked in 2013.” He has seen several variations and they were made by multiple contractors. “Supermicro is a victim, so is everyone else.”
There are so many holes in the Chinese supply chain where the sabotage can occur that “deducing them can in many cases be impossible,” Bloomberg reports. “That’s the problem with the Chinese supply chain,” Appleboum shrugs.
Appleboum started by looking at the very lowest levels of the company’s network traffic, checking not only the normal data transmissions but the power consumption and other analog signals that may exist as well. His gear found an altered Supermicro server unit that “appeared on the network as two devices in one.”
“The legitimate server was communicating one way, and the implant another, but all the traffic appeared to be coming from the same trusted server, which allowed it to pass through security filters. He confirmed his suspicions when he took off the machine’s cover plate.
“One key sign of the implant,” he explains, is that the bogus Ethernet connector “has metal sides instead of the usual plastic ones.” The metal, he says, “is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer.”
“The module looks really innocent, high quality and ‘original’ but it was added as part of a supply chain attack.”
Supermicro is denying everything. The San Jose, California company declared in a statement, “the security of our customers and the integrity of our products are core to our business and our company values. We take care to secure the integrity of our products throughout the manufacturing process and supply chain security is an important topic of discussion for our industry.”
“We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found.” After the previous story broke, Supermicro strongly refuted the reports that “servers it sold to customers contained malicious microchips.”
The spy implant that Appleboum uncovered “was found in a facility that had large numbers of Supermicro servers,” and the company’s techs “couldn’t answer what kind of data was pulsing through the infected one.” He isn’t sure if they contacted the Federal Bureau of Investigation or not.
AT&T, Verizon, and Sprint all denied having any Supermicro equipment and they all say it isn’t them that was affected. T-mobile didn’t respond.
Appleboum’s co-workers in his security company include a former director of Israel’s Mossad, Tamir Pardo and Robert Bigman, former chief information security officer of the Central Intelligence Agency. They know how important a target U.S. communication networks are.
As “data from millions of mobile phones, computers, and other devices pass through,” Chinese hardware implants “create covert openings into those networks, perform reconnaissance and hunt for corporate intellectual property or government secrets.”
The attacks alleged to have occurred in 2014 and 2015 are believed to be under investigation by the cyber and counterintelligence teams of the FBI, so even the existence of an investigation will be kept tightly secret.
Appleboum relates that he reached out to some friends in intelligence agencies outside the U.S. and was told “they’ve been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time.”
One of the reasons that Edward Snowden is in such hot water is because he leaked details of the “extensive programs” we have here in the U.S. to “seed technology heading to foreign countries with spy implants.”
“Hardware manipulation is extremely difficult to detect, which is why intelligence agencies invest billions of dollars in sabotage,” Bloomberg points out. “China appears to be aggressively deploying its own versions, which take advantage of the grip the country has over global technology manufacturing.”