The Mother of All Hacks: What Would Churchill Have Done?

What price silence?

At the start of the Second World War, Coventry was a medium sized (240,000) industrial city in England’s West Midlands which contained metal-working industries and munitions factories and was thus an attractive target for the Germans. It resembled at least metaphorically, the array of compromised and target-rich servers that have been fabricated, manufactured and distributed throughout the world by Supermicro.

Historians have asserted that the British government had advance warning of the attack through their interception and decoding of German radio messages. They further assert that Winston Churchill ordered that no defensive measures should be taken to protect Coventry, so that the Germans wouldn’t find out that their cipher had been broken. In fact, the key player for the counterespionage team claims that both Churchill and Roosevelt knew about the planned attack yet decided not to warn the city ahead of time.

Risking the lives of 240,000 people to win a war is not historically unprecedented. In fact, it seems simply one component of the cost structure inherent in warfare.

As we now witness through the ongoing unfolding of the SuperMicro disaster (or mystery for some), it now appears clear that U.S. intelligence apparatus knew of these ongoing attacks for years but chose not to notify the affected companies because it would have alerted the attacking Chinese units that they had been discovered and would also have compromised an ongoing FBI investigation.

They continually tell us that we don’t want to know how the sausage is made, and they’re right.

Now that the world knows, why can’t the NSA start notifying all the victims, which they ought to be able to identify without compromising their discovery process. They could simply scan the Internet for the presence of the rogue feature in all connected servers and then identifying the company to whom it belongs. Using the “phone home” port binding vulnerability planted in the compromised servers to detect the rogue chip is a simple way to assess the field of damage and I would be surprised if the NSA had not already done this anyway. It would certainly be helpful to thousands of companies who are already stretched thin on cybersecurity technical resources.

Lending to the credibility of the report by Bloomberg, back in 2016 Apple quietly removed all SuperMicro servers from their products due to what they called a “Security Incident” at the time which led to wide speculation that SuperMicro provided a sabotaged BIOS (the bootstrap program used to start the computer), which created the ability for an attacker to seize complete control over the operating system and do whatever they chose. Then as now, Apple denied there was any threat resulting for the discovery and that no users were at risk.

Apple, Amazon and SuperMicro (directed so by their lawyers) have all issued very strong public denials in the wake of the current hack. But, since we have seen Apple behave in a way that is indicative of a cover-up 2 years ago, and since everyone in the cybersecurity community agrees that an attack of this nature is not only plausible but likely, it is hard not to be skeptical of the denials. It is one thing to be accused of something without corroborating evidence. It is another when a preponderance of evidence asserts itself.

As a refresher, the journalists who first reported the story in Bloomberg’s Businessweek, Jordan Robertson and Michael Riley both did extensive research into what they described as an entire computer supply-chain sabotage that emanated from and exited back through SuperMicro, a Chinese-owned manufacturing business in San Jose. This reporting makes the historic Woodward and Bernstein “Deep-throat” Watergate story seem almost inconsequential in its outcome, impact and damage assessment. After all, with Nixon and his thugs, all that happened was a bungled physical break-in and wire-tapping attempt to a minimum-security apartment co-op.

The allegation that China has been engaging in mass-scale supply-chain sabotage, corrupting thousands of servers on computers that end up in the server rooms of almost all major U.S. companies and every Federal and State government systems and God only knows how many other businesses and governments around the world is somewhat larger in scope and impact.

When more intrepid reporting discovers that other companies have found compromised servers operating on their networks like the recent announcement from a major U.S. telecommunications company, it will be hard to diminish the culpability or the increased risk, or to continue to deny the guilt. Denying and then admitting later that a breach occurred has become a pattern for our larger enterprises and it never seems to bother their customers all that much (Facebook, Yahoo, Equifax, Google+, etc.). So, maybe the lawyers shouldn’t be all that concerned.

The Telecomm company’s discovery was slightly different from the one described in the initial Bloomberg Businessweek report, but it shares two key characteristics. One, they’re both designed to give attackers opaque access to data on any computer network on which the server is connected; and two, the modifications were found to have been made at the factory where the motherboard was being produced by a Supermicro subcontractor in China.

A widely respected cybersecurity expert’s inspection of the actual device (to you engineers who need physical evidence) found that the Telecom company's server was modified at the Supermicro subcontractor Chinese factory in Guangzhou, and when he alongside the Telecomm company's engineers couldn’t account for the kind of data that was pulsing through the infected server, they knew immediately that it was corrupted.

As the evidence continues to mount, you can safely anticipate that people like Kevin Bauer (Chief Financial Officer) and Don Clegg (Senior Vice President of Worldwide Sales) will quietly turn in their resignations, and more announcements from compromised companies over the next few weeks are inevitable as well.

Despite Churchill’s silence on the matter, we can probably then start to move beyond a preponderance of evidence toward the land beyond reasonable doubt.