Five days after Bloomberg stunned the world with still-unconfirmed allegations that Chinese spies embedded data-sniffing chips in hardware used by Apple, Amazon, and dozens of other companies, the news organization is doubling down. Bloomberg is now reporting that a different factory-seeded manipulation from the previously described one was discovered in August inside the network of a major US telecommunications company.
Bloomberg didn’t name the company, citing a non-disclosure agreement between the unnamed telecom and the security firm it hired to scan its data centers. AT&T, Sprint and T-Mobile all told Ars they weren’t the telecom mentioned in the Bloomberg post. Verizon and CenturyLink also denied finding backdoored Supermicro hardware in their datacenters, Motherboard reported.
Tuesday’s report cites documents, analysis, and other evidence provided by Yossi Appleboum, who is co-CEO of a hardware security firm called Sepio Systems. Bloomberg said that, while Sepio was scanning servers belonging to the unnamed telecom, the firm detected unusual communications from a server designed by Supermicro. Supermicro, according to last week’s Bloomberg report, is the hardware manufacturer whose motherboards were modified in the factory to include a tiny microchip that caused attached servers to come under the control of a previously unreported division of China’s People’s Liberation Army. Supermicro told Bloomberg it had no knowledge of the implant, marking the second time the hardware maker has denied knowing anything about the reported manipulations.
The Supermicro backdoor reported Tuesday was also the result of malicious hardware secretly implanted during its manufacture. But this time, the addition was made to the ethernet connector of the server used by the telecom company.
While the hardware manipulation reported Tuesday is different from the one described last week, Bloomberg said they shared key characteristics, namely that they were both designed to “give attackers invisible access to data on a computer network in which the server is installed.” What’s more, “the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China.”
Tuesday’s report continued:
Based on his inspection of the device, Appleboum determined that the telecom company’s server was modified at the factory where it was manufactured. He said that he was told by Western intelligence contacts that the device was made at a Supermicro subcontractor factory in Guangzhou, a port city in southeastern China. Guangzhou is 90 miles upstream from Shenzhen, dubbed the “Silicon Valley of Hardware,” and home to giants such as Tencent Holdings Ltd. and Huawei Technologies Co. Ltd.
The tampered hardware was found in a facility that had large numbers of Supermicro servers, and the telecommunication company’s technicians couldn’t answer what kind of data was pulsing through the infected one, said Appleboum, who accompanied them for a visual inspection of the machine. It’s not clear if the telecommunications company contacted the FBI about the discovery. An FBI spokeswoman declined to comment on whether it was aware of the finding.
The pushback against Bloomberg’s reporting has been truly extraordinary. Apple and Amazon—both of which typically provide short and vague statements to reporters—offered extremely detailed and vociferous denials. On Monday, Apple sent a letter to Congress that again asserted in unambiguous language that no officials inside the company were ever aware of malicious hardware being used in any of its networks. Both the US Department of Homeland Security and the UK’s National Cyber Security Center have said they have no reason to doubt the denials from Apple and Amazon.
Besides the denials, critics have also complained that last week’s article was based solely on anonymous sources who couldn’t be adequately scrutinized. Critics also said the article lacked technical details and failed to address why Chinese spies would go through the considerable work of introducing hardware manipulations into the supply chain when firmware attacks and other types of simpler exploits would have achieved the same capabilities.
The criticism was still at full pitch on Tuesday morning when Bloomberg published its follow-up article. While it names a single source, some security experts quickly challenged the credibility of the report.
“Sure this story has one named source but it technically makes even less sense than the first one,” Cris Thomas, a security expert who tweets under the handle SpaceRogue, wrote. “Come on @Bloomberg get somebody who knows what they’re talking about to write these stories. Calling BS on this one as well.”
Sure this story has one named source but it technically makes even less sense than the first one. Come on @Bloomberg get somebody who knows what they’re talking about to write these stories. Calling BS on this one as well. https://t.co/aldbcQsgdR
— Space Rogue (@spacerog) October 9, 2018
Appleboum didn’t respond to requests for comment for this post.
Other experts were much more circumspect.
“There are technical issues with both stories, but I think both are plausible,” Jake Williams, a former NSA hacker who is now founder of Rendition Security, tweeted. “In fact, a Twitter poll suggests most infosec professionals believe the original story is plausible. If you’re monitoring on the network, you have a chance to see this, otherwise nothing.”
There are technical issues with both stories, but I think both are plausible. In fact, a Twitter poll suggests most infosec professionals believe the original story is plausible. If you’re monitoring on the network, you have a chance to see this, otherwise nothing.
— Jake Williams (@MalwareJake) October 9, 2018
If the Bloomberg reporting is accurate, it has uncovered arguably the biggest hack of all time. If not, it has sent the world down a dangerous and resource-consuming rabbit hole. Extraordinary claims require extraordinary proof. The difficulty critics have is that there’s no logical way to prove a negative. Neither adage proves nor disproves the claims of a highly sophisticated supply-chain attack infiltrating the world’s most powerful organizations. But they’re reminders that we have a long way to go until this troubling reporting should be taken as fact.