{"id":13550,"date":"2018-10-10T09:10:02","date_gmt":"2018-10-10T17:10:02","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/10\/10\/news-7317\/"},"modified":"2018-10-10T09:10:02","modified_gmt":"2018-10-10T17:10:02","slug":"news-7317","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/10\/10\/news-7317\/","title":{"rendered":"Bloomberg blunder highlights supply chain risks"},"content":{"rendered":"

Credit to Author: Adam McNeil| Date: Wed, 10 Oct 2018 16:00:00 +0000<\/strong><\/p>\n

Ooh boy! Talk about a back-and-forth, he said, she said<\/em>\u00a0story!<\/p>\n

No, we\u2019re not talking about that Supreme Court nomination. Rather, we\u2019re talking about Supermicro<\/a>. Supermicro manufacturers the type of computer hardware that is used by technology behemoths like Amazon and Apple, as well as government operations such as the Department of Defense and CIA facilities. And it was recently reported by Bloomberg that Chinese spies were able to infiltrate nearly 30 US companies by compromising Supermicro\u2014and therefore our country’s technology supply chain.<\/p>\n

If you\u2019ve been trying to follow the story, it may feel a bit like this:<\/p>\n

\"\"<\/p>\n

What do we know so far<\/h3>\n

On October 4, Bloomberg Businessweek<\/a> detailed a narrative regarding Chinese government influence into the operations of US-based hardware manufacturer Super Micro Computer, Inc., or simply Supermicro. The article was produced using information from 17 different anonymous sources including \u201cone from a Chinese foreign ministry,\u201d and draws on research spanning more than three years of investigations.<\/p>\n

The article alleges that operatives from a unit of the People\u2019s Liberation Army used a method known as seeding to compromise the Supermicro supply chain. They did this by coercing Chinese-based subcontractors responsible for the creation of the hardware circuitry to secretly install a high-tech spying chip into the motherboards and systems of computers destined for high-profile customers.<\/p>\n

Bloomberg suggests the access by top-level operatives allowed the Chinese government to conduct a highly-targeted and highly-complex spying operation against worldwide organizations and in all sectors of business, including finance, health, government, and private.<\/p>\n

\"\"<\/a><\/p>\n

That little chip is what the Bloomberg article says is responsible.<\/p>\n<\/div>\n

According to the article, the problem stems from a tiny microchip, not any bigger than a pencil tip, and that had been embedded to the electronic circuitry of compromised devices. Though the intent of the microchip remains uncertain, the article suggests it was capable of communicating with anonymous computers on the Internet and loading new code to the device operating system.<\/p>\n

In at least one case, the malicious microchips are alleged to be thin enough as to be embedded in between the layers of fiberglass onto which the other components were attached.<\/p>\n

\"\"<\/a><\/p>\n

The malicious microchip can be embedded between layers of hardware fiberglass.<\/p>\n<\/div>\n

The chips have the ability of being able to modify the instructions between the operating system and CPU, and can allow for code injection or other data-alteration techniques. The code has also created a stealth doorway into the networks of altered machines.<\/p>\n

Or as Bloomberg put it:<\/p>\n

\n

The implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard. This happened at a crucial moment, as small bits of the operating system were being stored in the board\u2019s temporary memory en route to the server\u2019s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.<\/p>\n<\/blockquote>\n

Talk about some deep-state, James Bond\u2013level stuff.<\/p>\n

Here, we have a story detailing illicit government operations and covert operatives who have systematically compromised the supply chain of one of the world\u2019s largest motherboard and custom hardware manufacturers. Threat actors have accomplished this using a deeply-technical and highly-targeted\u2014not to mention a nearly impossible mechanism to detect\u2014hardware attack utilizing incredibly small, sophisticated microchips that are embedded between the individual hardware fiberglass layers.<\/p>\n

And why did they do it? To initiate clandestine spying operations against some of the worlds\u2019 largest entities in order to exfiltrate sensitive intellectual property and top-secret government information.<\/p>\n

Quick, call a Hollywood director. I have a story to pitch!<\/p>\n

This is indeed a fantastic story filled with all sorts of nail-biting suspense and adventure, but just like any good Hollywood caper, we have to ask ourselves: Is there any truth to it? We imagine that when storytellers got a whiff of this tale, they did something like this:<\/p>\n