Mother of All Hacks ... UPDATE!
Steve King, CISM, CISSP
Cybersecurity Marketing and Education Leader | CISM, Direct-to-Human Marketing, CyberTheory
Fresh evidence of tampering by the Chinese was disclosed today by a major U.S. telecommunications company that discovered more manipulated hardware from Supermicro in its network and removed it just one month ago.
A security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of the recent investigative report in Bloomberg Businessweek, but cannot name the telecom company due to his nondisclosure agreement. AT&T and Verizon have both said they are not affected, while T-Mobile and Sprint have yet to respond to requests for comment.
Appleboum claims that the telecom company's server was modified at the factory where it was manufactured, which he has identified through western intelligence contacts as a Supermicro subcontractor factory in Guangzhou, the famous Silicon Valley look-alike port city in southeastern China.
Appleboum accompanied the telecommunication company's technicians for a visual inspection and neither could identify the data types that were being processed by the infected server. But the unusual communications emanating from the server and the subsequent physical inspection revealed an implant built into the server’s Ethernet connector.
While this manipulation is different from the one described in the Bloomberg Businessweek report last week, it shares key characteristics in that they’re both designed to give attackers invisible access to data flowing through a computer network on which the server is installed. Appleboum says he has seen similar manipulations of different vendors' computer hardware made by contractors in China, and not just products from Supermicro. Describing what he perceives as the problem with the Chinese supply chain, his concern is that there are countless points in that supply chain where manipulations can be introduced and deducing them can in most cases can be impossible.
Supermicro, has issued this statement: “The security of our customers and the integrity of our products are core to our business and our company values. We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry. We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found. We are dismayed that Bloomberg would give us only limited information, no documentation, and half a day to respond to these new allegations.”
Bloomberg News first contacted Supermicro for comment on this story on Monday at 9:23 a.m. Eastern time and gave the company 24 hours to respond. Supermicro shares plunged 41 percent last Thursday, the most since it became a public company, and fell by as much as 27 percent today closing down 16% after the latest story.
There is cause for concern among some observers that the original Bloomberg story may not be valid. Apple and Amazon have vehemently denied that they had ever found any malicious chips on their servers. Yesterday, in a letter to Congress, Apple’s vice president of information security George Stathakopoulos sent the company’s strongest denial to date.
“Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” he said. “We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation.”
It follows a statement by both the U.K. National Cyber Security Center and U.S. Homeland Security stating that they had “no reason to doubt” statements by Apple, Amazon and Supermicro denying the claims.
Given the potential fallout from this story were it to be proven true and corroborated with physical evidence is enormous, it is easy to understand why Apple, Amazon and our folks in the agencies would be operating in strenuous damage control mode. Obviously as more information is leaked and more facts are discovered, the story will fill with life or die accordingly.
Yossi Appleboum’s background is interesting however.
He previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. Sepio specializes in hardware security and was hired to scan several large data centers belonging to the as yet unnamed telecommunications company.
Their board includes Chairman Tamir Pardo, former director of the Israeli Mossad, the national defense agency of Israel, and their advisory board includes Robert Bigman, former CISO (Chief Information Security Officer) of the CIA (US Central Intelligence Agency).
Bigman serves as an advisory board member of several software technology companies and has been a member of the Board of Advisors of Cylance, Inc. since 2013, a leading and well-respected Cybersecurity software company. Recognized as a pioneer in the field of classified information protection, Bigman developed technical processes to manage our country’s most sensitive secrets and has worked in every area of information and data security, having received numerous CIA and Director of National Intelligence awards.
In addition, three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio's software detected the implant is sound.
And, finally, the Norwegian National Security Authority said last week that it had been "aware of an issue" connected to Supermicro products since June. It couldn’t confirm the details of Bloomberg's reporting, a statement from the authority said, but it has recently been in dialogue with partners over the issue.
I guess if you're livelihood depended upon your stock price and the revenue from the sale of cloud computing, mobile phones, Internet connections, laptops and servers you too would deny that you had ever found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server of yours,
Could the key word here be "purposefully"?