Chinese spy chip uncovered at major US telecom

A major US telecommunications company discovered a malicious implant on a Supermicro server. The report comes after Bloomberg Businessweek’s article that Chinese intelligence agents embedded data-stealing microchips into servers that made their way into the systems of 30 US companies including Apple and Amazon.

Background

The US and China have competed for years over trade, technology, business and defence.  Due to their differing views on the internet, the two countries’ policies on cybersecurity frequently clash.

Security experts have linked China to prolific cyber espionage attacks and campaigns targeting US defence, technology, and energy companies. The term Advanced Persistent Threat (APT) was coined as a result of these efforts. An APT group is defined as a formidable threat group backed by an established nation that focuses on persistent access to privileged systems to monitor and exfiltrate sensitive information and continued exploitation for months or years.

US cybersecurity firm Mandiant published a report on APT1 in February 2013 - a threat group linked to Unit 61398 of the People’s Liberation Army. Multiple security firms have since published research linking various APT groups and their US-focused cyber campaigns to the Chinese military.

In early October, Bloomberg Businessweek published a report that a Chinese military unit inserted malicious microchips into the motherboards of servers used by 30 US companies. Citing over a dozen unnamed intelligence and company sources with knowledge of the attack, Bloomberg reported the chips were planted by operatives of the Chinese People’s Liberation Army.

The compromised hardware was sold by Super Micro that, like other tech companies, outsources its manufacturing to China. Major US companies such as Apple, Amazon were among the 30 companies that purchased the affected servers.

Apple, Amazon and Super Micro all disputed the report. Bloomberg said their denials were countered by national security officials with knowledge of the discovery of the microchips by US intelligence services in 2015. The investigation is reportedly ongoing. The US Department of Homeland Security and the UK’s National Cyber Security Centre said there is “no reason” to doubt the companies’ assessments challenging the report.

Analysis

A major US telecom company discovered “manipulated hardware” from Supermicro in its network and removed it in August, according to a security expert working for the firm. Bloomberg reported that the security expert, Yossi Appleboum, provided documents and analysis as evidence of the hardware compromise.

Appleboum’s firm Sepio Systems was hired to scan several large data centres belonging to the unnamed telecom company. He did not disclose the name of the firm due to nondisclosure agreements. During his work, he reportedly discovered an implant embedded in a Supermicro server’s Ethernet connector.

The security expert said he had encountered similar manipulations of other vendors’ computer hardware made by contractors in China, beyond Supermicro’s products. The hardware manipulation reported by Applebloum is different from the one described in Bloomberg’s earlier report. However, both were designed to “give attackers invisible access to data on a computer network in which the server is installed”, potentially giving Beijing access to internal networks.

“Supermicro is a victim - so is everyone else,” Appleboum said.

In a statement to Bloomberg, Supermicro said: “We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found. We are dismayed that Bloomberg would give us only limited information, no documentation, and half a day to respond to these new allegations.”

US lawmakers have sent a letter to Supermicro inquiring about their investigation of the alleged tampering. AT&T, Sprint, T-Mobile, Verizon and CenturyLink have stated they were not the telecom mentioned in the Bloomberg article.

Counterpoint

Cybersecurity experts have criticised various aspects of Bloomberg’s article including its lack of technical details, inaccurate imagery, failure to have sources speak on the record, and unanswered questions about why Chinese intelligence would opt for hardware manipulations as opposed to firmware attacks and exploits. Experts said there are still technical issues in the second article as well.

Assessment

Our assessment is that the Bloomberg report will spark further inquiry from Congress over the companies’ assessment and investigation into the alleged manipulation. We believe additional media reports are red herrings and will affect stock prices. We feel that there will be deeper discussions concerning supply chain risks, backdoors into enterprise systems and increased hardware threats to digital security in light of these reports.

Read more: