China Compromises Tech Companies With Malicious Microchips

An investigative report from Bloomberg  says that the Chinese military has successfully implanted malicious microchips in motherboards used by almost 30 US companies as well as intelligence agencies. 

Implanting microchips is a hardware hack that literally adds a piece that shouldn’t be there, opening a door for further attacks. 

The Bloomberg report is, however, disputed by several of the US technolgy companies allegedly affected.

What did the microchips do? 
The specific components added by a unit of the People’s Liberation Army allowed the motherboards to communicate with and be controlled or modified by an outside computer. That meant that these systems were pre-programmed to accept modifications, including, for example, manipulation of the requirement for a password. 

Bloomberg quoted Joe Grand, a hardware hacker, as saying that “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow.” 

How did they get there? 
The motherboards with the malicious chips were manufactured in China for the US company Supermicro. That company assembles its products in the US, but its main product, motherboards, is manufactured in China. Supermicro, although not a household name for many Americans, supplies the hardware, often custom-built, for a wide range of companies and government agencies. 

That means that compromising the motherboards manufactured by Supermicro was an easy way to give China uninhibited access to key American industries and government operations. That’s exactly what happened. 

More specifically, the microchips themselves were manufactured by the Chinese military. Its officers then approached Chinese factories making motherboards for Supermicro and, with bribes and threats, had those microchips inserted during production. Those motherboards then became part of servers sold by Supermicro and used in US data centers. 

How was the problem discovered? 
As Bloomberg reports, the problem was discovered when Amazon looked into acquiring video compressing and formatting start-up Elemental Technologies. As part of its review, Amazon had a third-party security firm analyze Elemental’s servers.

That review found that within the motherboards used in the company’s servers was a tiny microchip that wasn’t part of the original design. 

Amazon reported this to US. authorities. Elemental's products, in addition to working on commercial projects like streaming the Olympics, also were used by the Department of Defense, CIA drone operations, and Navy warships. 

How big was the problem? 
The problem was much bigger than Elemental and affected almost 30 companies. That’s because it wasn’t just Elemental who used Supermicro motherboards, but more than 900 companies in 100 countries in 2015. The supply chain itself had been compromised. 

When did we learn about it? 
Intelligence sources had long said that the Chinese were attempting this sort of hardware attack, but the first report of activity targeted at Supermicro came in 2014 in a report made to the Obama White House. Washington was limited in its response because no attack had been reported and they had few details to act on. 

In May 2015, Apple reported suspicious activity to the FBI but kept the details quiet. Apple quietly cut ties with Supermicro soon after. The Amazon report to the FBI seems to have been much more cooperative and allowed better government understanding of the supply chain breach.

After that, Amazon also worked to cut ties with its data center in China and eventually sold it off. The full investigation, however, is still ongoing. 

What was China after? 
According to the Bloomberg report, Beijing wanted “long-term access to high-value corporate secrets and sensitive government networks.” Consumer data does not appear to have been the target. 
What do the companies involved have to say? 

Amazon, Apple, and Supermicro have all disputed the findings of Bloomberg’s report. Those statements, however, are disputed by the series of interviews, documents, and other information provided by both industry insiders and government officials involved in the matter to Bloomberg. 

What are some key takeaways? 
For one thing, this report undermines the long-held confidence that China wouldn’t want to try a hardware hack because it might hurt international trust in Chinese products driving lucrative manufacturing away from the country. It also means that although the US has been focused on software attacks, added vigilance on imported hardware is also necessary. 

Additionally, this means that China already likely has much, much more information on both US industry and military operations than was previously thought, and that Beijing is willing to aggressively and illegally go after this information. 

Finally, for President Trump’s promise of a better trade deal with China, it lends more credibility to claims of improper behavior on the part of Beijing, and perhaps justifies domestic production of key industries — not steel, but perhaps motherboards.

Washington Post:            Bloomberg

You Might Also Read:

New Microchip Increases Military Intelligence:

Modern Fiction: A Novel  Is Required Reading At The Pentagon:

 

« Google Is Building A Search Engine For Fact Checks
Buy A Dark Web Passport Scan For $15 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Secure Source

Secure Source

Secure Source specialise in search and recruitment for Cyber Security and Security Cleared markets.

S21sec

S21sec

S21sec is a leading European pure play cybersecurity consultancy, services and solutions provider.

TrainACE

TrainACE

TrainACE, is a professional computer training school offering courses in information technology with a focus on Advanced Security training.

Montimage

Montimage

Montimage develops tools for testing and monitoring networks, applications and services; in particular, for the verification of functional, performance (QoS/QoE) and security aspects.

Osirium

Osirium

The Osirium PxM Privileged Access Management platform addresses both security and compliance requirements by defining who gets access to what and when.

NeuShield

NeuShield

NeuShield is the only anti-ransomware technology that can recover your damaged data from malicious software attacks without a backup.

GreyNoise Intelligence

GreyNoise Intelligence

GreyNoise Intelligence is a cyber security company that collects, labels, and analyzes Internet-wide scan and attack data.

Stealth Software Technologies

Stealth Software Technologies

Stealth Software Technologies is focused on the generation of research and software products focused on applied cryptography and cybersecurity.

CyberPeace Foundation

CyberPeace Foundation

CPF is a think tank of cybersecurity and policy experts with the vision of pioneering Cyber Peace Initiatives to build collective resiliency against CyberCrimes and global threats of cyber warfare.

Shield Capital

Shield Capital

Shield Capital helps founders build frontier solutions in cybersecurity, artificial intelligence, space & autonomy for commercial and government enterprises.

CryptoNext Security

CryptoNext Security

CryptoNext provides optimal end-to-end post-quantum cybersecurity remediation tools and solutions for IT/OT infrastructures & applications.

ResilientX

ResilientX

ResilientX is an All-In-One Security Testing Platform designed to help MSPs and SMBs to perform their security testing and assessments without having to outsource IT.

APCERT

APCERT

APCERT cooperates with CERTs and CSIRTs to ensure internet security in the Asia Pacific region, based around genuine information sharing, trust and cooperation.

AKS iQ

AKS iQ

AKS iQ leads the RegTech sector with AI, automating regulatory compliance in the banking industry and ensuring paperless TBML and CFT adherence in finance.

Emircom

Emircom

Emircom is one of the Middle East's leading independent providers of IT infrastructure services, helping clients to drive growth and deliver measurable outcomes.

ZEST Security

ZEST Security

The ZEST platform natively integrates into your technology stack to make efficient risk remediation possible.