China Compromises Tech Companies With Malicious Microchips

Uploaded on 2018-10-08 in INTELLIGENCE--International, INTELLIGENCE-Hot Spots-China, FREE TO VIEW, BUSINESS-Services-IT & Telecoms, NEWS-Cybersecurity News

An investigative report from Bloomberg  says that the Chinese military has successfully implanted malicious microchips in motherboards used by almost 30 US companies as well as intelligence agencies. 

Implanting microchips is a hardware hack that literally adds a piece that shouldn’t be there, opening a door for further attacks. 

The Bloomberg report is, however, disputed by several of the US technolgy companies allegedly affected.

What did the microchips do? 
The specific components added by a unit of the People’s Liberation Army allowed the motherboards to communicate with and be controlled or modified by an outside computer. That meant that these systems were pre-programmed to accept modifications, including, for example, manipulation of the requirement for a password. 

Bloomberg quoted Joe Grand, a hardware hacker, as saying that “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow.” 

How did they get there? 
The motherboards with the malicious chips were manufactured in China for the US company Supermicro. That company assembles its products in the US, but its main product, motherboards, is manufactured in China. Supermicro, although not a household name for many Americans, supplies the hardware, often custom-built, for a wide range of companies and government agencies. 

That means that compromising the motherboards manufactured by Supermicro was an easy way to give China uninhibited access to key American industries and government operations. That’s exactly what happened. 

More specifically, the microchips themselves were manufactured by the Chinese military. Its officers then approached Chinese factories making motherboards for Supermicro and, with bribes and threats, had those microchips inserted during production. Those motherboards then became part of servers sold by Supermicro and used in US data centers. 

How was the problem discovered? 
As Bloomberg reports, the problem was discovered when Amazon looked into acquiring video compressing and formatting start-up Elemental Technologies. As part of its review, Amazon had a third-party security firm analyze Elemental’s servers.

That review found that within the motherboards used in the company’s servers was a tiny microchip that wasn’t part of the original design. 

Amazon reported this to US. authorities. Elemental's products, in addition to working on commercial projects like streaming the Olympics, also were used by the Department of Defense, CIA drone operations, and Navy warships. 

How big was the problem? 
The problem was much bigger than Elemental and affected almost 30 companies. That’s because it wasn’t just Elemental who used Supermicro motherboards, but more than 900 companies in 100 countries in 2015. The supply chain itself had been compromised. 

When did we learn about it? 
Intelligence sources had long said that the Chinese were attempting this sort of hardware attack, but the first report of activity targeted at Supermicro came in 2014 in a report made to the Obama White House. Washington was limited in its response because no attack had been reported and they had few details to act on. 

In May 2015, Apple reported suspicious activity to the FBI but kept the details quiet. Apple quietly cut ties with Supermicro soon after. The Amazon report to the FBI seems to have been much more cooperative and allowed better government understanding of the supply chain breach.

After that, Amazon also worked to cut ties with its data center in China and eventually sold it off. The full investigation, however, is still ongoing. 

What was China after? 
According to the Bloomberg report, Beijing wanted “long-term access to high-value corporate secrets and sensitive government networks.” Consumer data does not appear to have been the target. 
What do the companies involved have to say? 

Amazon, Apple, and Supermicro have all disputed the findings of Bloomberg’s report. Those statements, however, are disputed by the series of interviews, documents, and other information provided by both industry insiders and government officials involved in the matter to Bloomberg. 

What are some key takeaways? 
For one thing, this report undermines the long-held confidence that China wouldn’t want to try a hardware hack because it might hurt international trust in Chinese products driving lucrative manufacturing away from the country. It also means that although the US has been focused on software attacks, added vigilance on imported hardware is also necessary. 

Additionally, this means that China already likely has much, much more information on both US industry and military operations than was previously thought, and that Beijing is willing to aggressively and illegally go after this information. 

Finally, for President Trump’s promise of a better trade deal with China, it lends more credibility to claims of improper behavior on the part of Beijing, and perhaps justifies domestic production of key industries — not steel, but perhaps motherboards.

Washington Post:            Bloomberg

You Might Also Read:

New Microchip Increases Military Intelligence:

Modern Fiction: A Novel  Is Required Reading At The Pentagon:

 

« Google Is Building A Search Engine For Fact Checks
Buy A Dark Web Passport Scan For $15 »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IPCopper

IPCopper

IPCopper specializes in network packet capture appliances for cybersecurity, cybersurveillance and network monitoring, and encrypted data storage.

Emerson Electric Co

Emerson Electric Co

Emerson provides industrial automation systems and associated cybersecurity solutions to protect critical process control systems from cyber attack.

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA)

Professional Insurance Agents (PIA) offer commercial insurance services including Cyber Liability insurance.

Compumatica

Compumatica

Compumatica is a leading European ICT security manufacturer for cybersecurity and encryption products. Solutions include network security, SCADA/ICS security, Mobile/BYOD and email encryption.

NowSecure

NowSecure

NowSecure are the experts in mobile app security testing software and services.

CodeSealer

CodeSealer

CodeSealer provide invisible end-to-end user interface protection with a unique web security solution to eliminate Man-in-the-Middle and Man-in-the-Browser vulnerabilties.

Cyber Security Malta

Cyber Security Malta

Cyber Security Malta is part of Malta's National Cyber Security Strategy which aims to combat cybercrime, strengthen national cyber defence and provide cyber security awareness and education.

Curricula

Curricula

Curricula's cyber security awareness training delivers short relatable security stories to your employees. We make learning cyber security simple and fun.

Raqmiyat

Raqmiyat

Raqmiyat provides end-to-end IT Services and business solutions including consultancy, digital transformation, infrastructure and cybersecurity.

Kennedys

Kennedys

Kennedys is a global law firm with expertise in litigation/dispute resolution and advisory services, particularly in the insurance/reinsurance and liability sectors, including cyber risk.

MedSec

MedSec

MedSec is the only company of its type focused solely on cybersecurity for hospitals and medical device manufacturers, offering both a cybersecurity software solution and consulting services.

Phylum

Phylum

Phylum provides powerful, automated software supply chain risk analysis that protects organizations, defends developers and enables secure innovation.

WPScan

WPScan

With WPScan, you'll be the first to know about vulnerabilities affecting your WordPress installation, plugins, and themes.

Zyber 365 Group

Zyber 365 Group

Zyber 365 are providing a robust, decentralized, and cyber-secured operating system which adheres to the fundamental principles of environmental sustainability.

VAST Data

VAST Data

The VAST Data Platform delivers scalable performance, radically simple data management and enhanced productivity for the AI-powered world.

KIT365

KIT365

KIT365 aim to protect organisations against cyber security attacks, by mitigating the risk to their systems and information, and protecting their data and reputation.