Bloomberg broke a story today about how Chinese spies reportedly inserted microchips into servers used by Apple, Amazon, and others. According to the article, Chinese spies have infiltrated the supply chain for servers used by nearly 30 US companies. The chips were “not much bigger than a grain of rice,” reports Bloomberg, but able to subvert the hardware they’re installed on, siphoning off data and letting in new code like a Trojan Horse. According to Bloomberg, Amazon and Apple discovered the hack through internal investigations and reported it to US authorities. The publication says there’s no direct evidence that the companies’ data — or that of users — was stolen or tampered with, but both firms worked quietly to remove the compromised servers from their infrastructure. IT security experts commented below.
Ross Rustici, Senior Director, Intelligence Services at Cybereason:
“This report highlights the fundamental vulnerability of the globally distributed supply chains that exist. Hardware interdiction as a means to enable spying or sabotage is a fairly old concept. The fundamental problem facing countries these days is that as globalisation has created economic efficiencies by offshoring labour intensive products, individual countries no longer provide single source construction for their national security components. This creates a massive vulnerability for anyone building a high tech weapon system today. While this particular supply chain infection happened at least three years ago, the state of supply chain vulnerability management has not improved substantially.
Fundamentally, supply chain security is a cost problem. It is almost always conducted by a complicit insider, whether it is at the factory, a transportation agent, or customs official. This makes creating a tamper proof product extremely costly, the number of safeguards and other mechanisms required would drive up the cost of the product beyond market viability.
This incident should force government to re-examine how they inspect and certify critical hardware, however in the history of the spy wars, this will likely be forgotten as just another example of how countries are leveraging the global, vulnerable, supply chain for their own national security purposes.”
Edgard Capdevielle, CEO at Nozomi Networks:
“With revelations from the Super Micro attack revealing possible undetectable vulnerabilities in the supply chain, it becomes even more important to detect the malicious network activity they enable.
This means making sure you can dynamically identify all devices in your environments and ensuring continuous monitoring of corporate networks and industrial networks, especially those that operate critical infrastructure.
By detecting anomalies in the data traffic and in operations, organizations have their own tools to fight against these types of attacks.”
Pravin Kothari, CEO at CipherCloud:
“The new and recent DHS alerts about the Chinese APT10 “RedLeaves” cyberattack on cloud providers highlight the impossible problem faced by both enterprise and municipal government. The impossible problem is that enterprise and government cannot face off against well-funded nation-state attackers or large scale organized crime. It is a ridiculous proposition to believe otherwise. The U.S. government needs to step in and defend our internet infrastructure so that normal commerce and communications can continue unhindered. We must do this within the rule of law, put all of the evidence out there in the view of the global community, and enlist the support of our allies to ensure we are successful.”
Andy Wright, Check Point’s Regional Director at Northern Europe:
“This attack shows that the threat landscape is much broader than people realize, and it highlights the major security risks which inevitably result from growing use of digital platforms and cloud services. Entities which lack the correct perimeter security mechanisms are not equipped to protect their critical data from these fifth generation attacks, and are jeopardizing the security of their stakeholders.
“These types of attacks can be prevented using a comprehensive real-time perimeter security solution with anti-bot and reputation services, and good cooperation between government agencies and the cyber-security industry. These solutions can reduce the time it takes to respond to such attacks from years, as seen in this case, to hours, and provide effective prevention against even these stealthy exploits.”
Tom Kellermann, Chief Cybersecurity Officer at Security Company Carbon Black and The Former Commissioner at President Barack Obama’s Cybersecurity Council:
“I am not shocked by the report from Bloomberg that claims China were able to infiltrate 30 large companies, like Apple and Amazon, and many federal agencies, by compromising the U.S. technology supply chain. This is a small example of China’s larger efforts to spy on and disrupt U.S. businesses. We have known for some time that China is a threat. Government agencies have grown increasingly wary about how vulnerable U.S. infrastructure may be to Chinese espionage. China’s activities in this area have only become ramped up in recent years, particularly as trade tensions between China and the U.S. have increased.
Carbon Black’s quarterly Incident Response Threat Report shows that IT leaders are unambiguously pointing the finger at China and Russia for originating the vast majority of cyberattacks. And cybercriminals are seeking more than just financial gain or IP theft – 35% of the IT heads that we surveyed say the attackers’ end goal is espionage – as evident in China’s spying campaign.”
Kurt Baumgartner, Principal Security Researcher at Kaspersky Lab:
“Any alleged compromise of the hardware supply chain is a worrying event. Big companies such as Facebook and Amazon design their own hardware because they use so much of it, so it would make sense that they would be the ones to find anything, and it is important that such companies keep examining their platforms. The incident reported in the media highlights how stealthy an attack using tiny, carefully crafted and hidden chips could be. They could potentially alter the operating system or reduce overall security, for example by weakening encryption schemes, or raising privileges and access. There is a lot at stake: personal and corporate communications, IP, customer data, and more.
“However, sooner or later, the chip would have to phone home, and it is when communicating with the attacker’s command and control system that undiscovered threats are often most vulnerable. A defender looking at network traffic suddenly spots the anomaly. This is a big problem for threat actors, but it helps the security industry. We and other security companies have warned about a rise in supply chain attacks for a while now, and it is an area organizations need to be very alert to. Even things such as USB sticks still need checking for irregular traffic as they continue to be actively used to spread infection.”
Matan Or-El, CEO at Panorays:
“It is critically important for cyber threat intelligence like this to be disseminated, as companies can take extra precautions to secure the supply chain. These steps include discovering assets that hackers can target, identifying vulnerabilities and remediating any cyber gaps. However, the sophistication of these attacks means that companies will have to continuously review their digital assets and that of their third-party vendors and business partners to ensure that all vulnerabilities are detected and patched.”