In early October, Bloomberg Businessweek published a story that was like something out of a conspiracy theorist fever dream — a tale of intrigue and industrial espionage, in which the supply chain is a battlefield, behemoth corporations are rendered vulnerable by microchips no bigger than a grain of rice, and cybercriminals remain hidden, cloaked in the digital darkness. But this isn’t the stuff of fiction.
While the veracity of the article has since been debated, it nevertheless raises some troubling questions about security in the supply chain. Below is a summary of the story in question.
A Routine Investigation
Amazon was in the process of evaluating a video-compression company, Elemental Technologies, with the intention of possibly acquiring it for Amazon Prime’s video streaming services. But Elemental’s ability to compress large video files and configure them for a variety of platforms wasn’t the only thing Amazon was interested in.
Elemental’s portfolio is quite impressive, and includes contracts with the CIA and the International Space Station. Amazon, who has their own secure cloud service for the CIA, called Amazon Web Services (AWS), believed that Elemental would be useful for both video streaming services and intelligence applications.
In today’s ever-shifting, increasingly complex digital landscape, cybercrimes and digital espionage pose huge threats — even when dealing with matters unrelated to intelligence and national security — so it wasn’t out of the ordinary for Amazon to hire a third-party company to thoroughly investigate Elemental.
It didn’t take long for red flags to start popping up, and eventually, the investigation led to Elemental’s proprietary servers — devices integrated into customers’ networks to support the video compression process. Super Micro Computer Inc., one of the largest server motherboard suppliers in the world, assembled these servers.
When the investigators peeked inside the device, they discovered a tiny microchip attached to the motherboard — a tiny microchip that wasn’t supposed to be there. This was immediately reported to U.S. authorities, who took over the operation. Eventually, it was determined that the chip had been inserted during the manufacturing stage. The investigation revealed that 30 companies had been infiltrated using these chips, including government agencies, major corporations like Apple, and a major bank.
The hack was likely carried out by spies from a group within the People’s Liberation Army, a multi-branched armed force that acts as China’s military. China has long been suspected of committing acts of cyber espionage against several countries, including the United States. It has been estimated that China’s “hacker army” employs between 50,000 to 100,000 individuals.
Through these chips, secret agents from China were able to gain access to sensitive and classified networks through a secret back door. Even more unsettling, Elemental’s infected servers were being used not only by the CIA, but also by the Department of Defense and the Navy. And Elemental is just one of Super Micro’s many customers.
Unusual Circumstances
Historically, industrial espionage has been almost exclusively contained to the software realm. Hardware hacking is unusual because it’s generally considered difficult to pull off and requires a great deal of control over several areas within the supply chain.
Designing the hacking component itself can be tricky, as it must be able to integrate seamlessly with a product without disrupting it. Furthermore, the component must be implanted during the manufacturing phase and then move through a long chain of global logistics processes to reach its intended target.
In the Bloomberg article, hardware hacking expert Joe Grand was quoted as saying, “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow. Hardware is just so far off the radar, it’s almost treated like black magic.”
However, in spite of these obstacles, we are now facing a reality in which unicorns are doing summersaults over double rainbows. And when executed correctly, hardware hacks can have catastrophic consequences. These hacks can go undetected for long periods of time, granting spies access to sensitive or classified information.
True or False?
Amazon, Apple, and Super Micro have all denied the claims made by Bloomberg Businessweek. Addressing these denials, Bloomberg published statements that the companies emailed to the magazine in response to the original article.
- Amazon — “It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental.”
- Apple — “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
- Super Micro — “We remain unaware of any such investigation.”
Although the FBI and other intelligence agencies have yet to comment on whether an investigation took place and, if so, what the findings were, there are several current and former senior national security officials, as well as several insiders from AWS and Apple, who have provided extensive details about the situation.
According to Bloomberg’s sources, “One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks.”
The Takeaway
Cybercriminals and developers are now caught in a high-stakes game of cat and mouse, in which each move brings about more and more advanced innovation from both sides. Every time cybercriminals develop a way to hack into a system, developers build a better mousetrap to prevent damage. And with each new security improvement, cybercriminals find a way to beat the new system.
So, if the story outlined in Bloomberg Businessweek is true, should it be considered an anomalous scenario that is unlikely to reoccur? Or is this the next step in the evolution of hacking and digital espionage? While it’s still too soon to tell what exactly this story signifies, it does show that a supply chain can be hacked, raising the question of how such infiltrations can be prevented in the future.
Resources:
- The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies – Bloomberg
- What Is a 'Supply Chain Attack?' – Motherboard – Motherboard (Vice)
- The Cybersecurity 202: Lawmakers press for answers about China's alleged supply chain hack – The Washington Post
- Virus Bulletin 2018: Supply chain hacking grows up – WeLiveSecurity
- Supply chain hacking: bull in a China shop? – Security Boulevard
- Supply Chain Attacks Increase As Cybercriminals Focus On Exploiting Weak Links – Forbes
- China's Hacker Army – Foreign Policy
Image credit: Ton Snoei /Shutterstock.com