Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Software Side of China's Supply Chain Attack (bloomberg.com)

Posted by msmash on from the other-shoe-drops dept.

Bloomberg BusinessWeek published a story on Thursday which claimed that data center equipments run by Amazon Web Services and Apple were subject to surveillance from the Chinese government via a tiny microchip inserted during the equipment manufacturing process. Both Amazon and Apple have vehemently refuted Bloomberg's reporting. Bloomberg's reporters, who have spent more than a year on the story and have cited 17 sources for the claims they make in it, have doubled down. In a new story, the news outlet reports that Supermicro was the target of at least two additional forms of attack. This report claims that Facebook was aware of these attacks, too, which has confirmed it. From the story: The first of the other two prongs involved a Supermicro online portal that customers used to get critical software updates, and that was breached by China-based attackers in 2015. The problem, which was never made public, was identified after at least two Supermicro customers downloaded firmware -- software installed in hardware components -- meant to update their motherboards' network cards, key components that control communications between servers running in a data center. The code had been altered, allowing the attackers to secretly take over a server's communications, according to samples passed around at the time among a small group of Supermicro customers. One of these customers was Facebook.

"In 2015, we were made aware of malicious manipulation of software related to Supermicro hardware from industry partners through our threat intelligence industry sharing programs," Facebook said in an emailed statement. "While Facebook has purchased a limited number of Supermicro hardware for testing purposes confined to our labs, our investigations reveal that it has not been used in production, and we are in the process of removing them." The victims considered the faulty code a serious breach. Further reading: Bloomberg's spy chip story reveals the murky world of national security reporting.

63 comments

  1. Prove it by Anonymous Coward · · Score: -1

    Show us the chip; not marketing diagrams invented for reporting. Show us the chip in action. Where is the CVE? etc

    Otherwise it's just politicization to set seeds against China.

    1. Re:Prove it by Anonymous Coward · · Score: 0

      Wow, Chinese government shills are quick on the draw today. Congratulations on your fp.

    2. Re:Prove it by Anonymous Coward · · Score: -1

      Is not Chinese government shills, is anyone with more than two brain cells that is skeptic of this piece of "journalism".

    3. Re:Prove it by Anonymous Coward · · Score: 0

      Da Comrade! Is very true. Next time though, try not to sound like a low rent Soviet extra in an 80s movie with your sentence structure. Putin will not be pleased to see you acting so transparently. Maybe he will invite you in for some polonium tea to talk about your performance....

    4. Re:Prove it by k6mfw · · Score: 1

      Show us the chip; not marketing diagrams invented for reporting.

      I remember way back in the 20th century you can get schematics that show the circuit, parts, etc. And if you can read schematics, you can also learn how things are put together and learn how to do stuff yourself. Places like Radio Shack will give you a better paying position besides just a clerk.

      Come to think of it, it is a struggle to get actual schematics. And if you can get them, they are so densely packed with lines and many unclearly labeled boxes, not very useful.

      --
      mfwright@batnet.com
    5. Re:Prove it by Anonymous Coward · · Score: -1

      I am more capitalists than you by a mile and a half, you probably live of government support, but i don't believe any garbage than a business journal that have nothing with computing technology trow in their website, i want to see evidence nothing more nothing less, the stocks of a American company was hammer by this piece of "journalism" with providing any evidence about their claims.

    6. Re:Prove it by Anonymous Coward · · Score: 0

      You want to see "seed" in action, check your mom.

    7. Re:Prove it by Anonymous Coward · · Score: 0

      Chips are in supermicro hardware deployed in china. what did you think? they'd export their best tech?

    8. Re:Prove it by Pascoea · · Score: 1

      Come to think of it, it is a struggle to get actual schematics. And if you can get them, they are so densely packed with lines and many unclearly labeled boxes, not very useful.

      I used to work at a contract manufacturer, working on production failures for a certain network/security device company. (Not Cisco, one of the other big ones) Even getting detailed schematics, board layouts, signal functions, etc. was a giant pain in the ass. Those types of companies guard that shit like it's gold. What I don't understand, try and find a schematic/repair manual for any modern piece of sound equipment. Can't get them half the time, the other half the time they want to charge you $40 for the PDF. Almost like they don't want you fixing their stuff, and would rather you buy a new one.

    9. Re:Prove it by mrclevesque · · Score: 1

      It does looks like Bloomberg's story isn't complete and relies on anonymous sources.

      "Today’s bombshell Bloomberg story has the internet split: either the story is right, and reporters have uncovered one of the largest and jarring breaches of the U.S. tech industry by a foreign adversary or it’s not, and a lot of people screwed up." https://techcrunch.com/2018/10...

      Links from the Techcrunch article:

      "The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found “malicious chips” in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims." https://www.apple.com/newsroom...

      "Steve Schmidt, Chief Information Security Officer at Amazon Web Services stated, "As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems." https://www.prnewswire.com/new...

  2. Here comes an army of Chinese by Anonymous Coward · · Score: 4, Informative

    To pretend there's no chinese espionage. And Tienneman square never happened.

    Maybe if they post enough the government won't harvest their organs.

    1. Re:Here comes an army of Chinese by Anonymous Coward · · Score: 0

      Well, they have to balance out the army of murrican dummies that unconditionally accept even the most illogical and evidence deprived domestic propaganda, in an act of display of their sole "redeeming quality".

    2. Re:Here comes an army of Chinese by Anonymous Coward · · Score: 0

      Don't forget the CIA shills like GP.

    3. Re:Here comes an army of Chinese by Anonymous Coward · · Score: 0

      But Chinese don't deny Tiannanmen. How could they possibly do that with all the footage. They simply say that what the students' demands were unreasonable and simply a pipe dream. Even Harvard's renowned Chinese historian Fairbanks seems to suggest the same, stating that when that the students demands were incoherent. He suggests that the students true needs were basic needs like better food, housing, etc. However the students could not make such "selfish" demands on the whole of China, when the rest of China was still very poor, so they latched on to demands like "democracy", to appeal to a wider net. Even though democracy wouldn't necessarily improve their material situation. Just look at Russia or India.

      Democracies by far and wide may be okay for the West, but not necessarily for every country at every stage. Also the western concept of democracy may not necessarily be universal either. A debate that has caused much war and suffering in the past few decades.

    4. Re: Here comes an army of Chinese by Anonymous Coward · · Score: 0

      Well explained comrade.

    5. Re: Here comes an army of Chinese by Anonymous Coward · · Score: 0

      Awesome reply. I suppose I can't expect much more. That's the general issue with discourse these days.

    6. Re:Here comes an army of Chinese by Anonymous Coward · · Score: 0

      It is an interesting explanation but it is absurd. When some third party is saying the students did not get what they asked for because their "true needs" were actually better food, housing..So, instead of listening to what the students claimed they wanted ("democracy"), some supposed scholar now tells us that giving the students what they wanted would not have met their "true" needs". All authoritarians make this claim. They weren't asking for their needs to be met, they wanted say in their government, which of course those in power were not going to grant. I do agree, however, in free countries people don't have the guarantee that all their needs will be met.

  3. Who cares by Anonymous Coward · · Score: 2, Insightful

    The Intel ME processor built into every Intel x86 chip can do all of this and more, yet nobody even bats an eye

    Hell, it runs even when your computer is turned off

  4. Remind me how free access for our enemies by Crashmarik · · Score: 4, Interesting

    to our markets was supposed to be a grand benefit ?

    And why we have a senator with a Chinese spy on her staff
    https://www.washingtonpost.com...

    1. Re:Remind me how free access for our enemies by Anonymous Coward · · Score: 0

      free trade is an end unto itself didn't you get the memo?

    2. Re:Remind me how free access for our enemies by Anonymous Coward · · Score: 0

      Nice political spinjob. You're definitely credible.

      Why are you worried about this when the Russians have front-door access right to the top?

    3. Re:Remind me how free access for our enemies by Anonymous Coward · · Score: 4, Interesting

      to our markets was supposed to be a grand benefit ?

      We could outsource most of our well paying manufacturing jobs to them, save a ton of money, reduce the power of the middle class, and pay our rich even larger profits.

      And why we have a senator with a Chinese spy on her staff
      https://www.washingtonpost.com...

      Feinstein is so pro-"government spying on its people" that she felt the need to hire an expert. FWIW, not even her own party wants her anymore: California Democratic Party Snubs Feinstein, Endorses Rival

    4. Re:Remind me how free access for our enemies by Gravis+Zero · · Score: 3, Informative

      And why we have a senator with a Chinese spy on her staff
      https://www.washingtonpost.com...

      If you believe anything Marc Thiessen writes then you're as dumb as he is. Mr. Thiessen is the most disingenuous writer and greatest partisan hack I know besides Megan McArdle who is so insanely partisan that she argued in favor of insider trading after Republican Rep. Chris Collins was caught doing it!

      --
      Anons need not reply. Questions end with a question mark.
    5. Re:Remind me how free access for our enemies by Crashmarik · · Score: 1

      I didn't think I would need to post every news story available on the internet about this.

      Here's from the San Francisco CBS outlet https://sanfrancisco.cbslocal....

      Here's a google search

      https://www.google.com/search?...

    6. Re:Remind me how free access for our enemies by Anonymous Coward · · Score: 0

      According to the article you linked, we do not.

    7. Re:Remind me how free access for our enemies by Anonymous Coward · · Score: 1

      See this? THIS is "Whatabboutism"!

      It is an attempt to distract from the fact that Feinstein employed a Chinese spy by making attacks about entirely unrelated topics. McArdle's partisan behavior has NOTHING to do with Thiessen's honesty or lack of it.

      You couldn't even be bothered to attack Thiessen directly, much less attempt to make an argument about his reporting. It's pretty bad when you can't even muster a straight up ad hominem fallacy.

      If you have any evidence that Feinstein did NOT employ a Chinese spy, feel free to post it. That would be a counter argument. What you are doing instead is just ranting.

    8. Re:Remind me how free access for our enemies by DRJlaw · · Score: 1

      If you have any evidence that Feinstein did NOT employ a Chinese spy, feel free to post it

      If you have conclusive evidence that she did, post it. Because the burden of proof is on those arguing that she did, not the other way around.

      Unproven.. Even after a better-than-Kavanaugh-quality FBI investigation, so you've just gotta take them at their word. Innocent until proven guilty, drivers will be drivers, blah blah blah...

  5. "refuted" by cascadingstylesheet · · Score: 3, Insightful

    Both Amazon and Apple have vehemently refuted Bloomberg's reporting.

    They haven't "refuted" it, they've "denied" it. Or perhaps "rebutted" it.

    1. Re:"refuted" by Anonymous Coward · · Score: -1

      wow you're really good at synonyms congratulations

    2. Re:"refuted" by sjames · · Score: 2

      Go read a dictionary. Refuted and denied are not synonyms.

    3. Re:"refuted" by Anonymous Coward · · Score: 0

      Go read a dictionary. Refuted and denied are not synonyms.

      You are correct, but use a thesaurus, not a dictionary.

    4. Re:"refuted" by sjames · · Score: 4, Informative

      A thesaurus shows that they are not synonyms. A dictionary shows why not.

    5. Re:"refuted" by gnick · · Score: 3, Funny

      Go read a dictionary.

      Most tedious plot ever. Spoiler alert: The zebra did it.

      --
      He's getting rather old, but he's a good mouse.
    6. Re:"refuted" by Anonymous Coward · · Score: 0

      Go read a dictionary. Refuted and denied are not synonyms.

      What about "refuted" and "rebutted"?

      Or perhaps "rebutted" it.

      I'm pretty sure they are synonyms.

    7. Re:"refuted" by Anonymous Coward · · Score: 0

      Supermicro denied it as well. We can shoot down this fake story apparently.

  6. applying the same logic... by kiviQr · · Score: 0

    Intel used not so tiny chip to allow people to hack your PC?

  7. Chinese guys have small dicks by Anonymous Coward · · Score: 0

    So they hack to compensate

  8. Russia did it! by skaralic · · Score: 0

    Surely the Russians did this. They seem guilty of everything else these days...

    1. Re: Russia did it! by Anonymous Coward · · Score: 1

      Oh bless your heart, sweetie. You forgot to say "But Obama" while you were at it.

  9. Cool.. by ASCIIxTended · · Score: 1

    ..looks like I'm going to be able to buy SuperMicro servers super cheap! I suspect the used server market is also about to be flooded..

    --
    I do not belong to the church of the lowercase 'i'
    1. Re:Cool.. by Anonymous Coward · · Score: 1

      The market was flooded with cheap SuperMicro servers in early 2016. Which could possibly co-inside with some big companies like FB/AMZN getting rid of them without telling anyone else why.

  10. China learned this from the NSA by Nocturrne · · Score: 1

    How many of us have hand carried blade servers to install in a data center? Interception of gear shipments and modifications in transit have been going on for decades. Dark silicon and closed source firmware are the norm now. The Chinese are amateurs...

  11. Comment removed by account_deleted · · Score: -1

    Comment removed based on user account deletion

  12. Evidence-Free Journalism by Anonymous Coward · · Score: 0, Informative

    Extraordinary claims require extraordinary evidence, until someone publish a technical paper that can be peer reviewed
    with detailed information of the chip and how its works, this is a misinformed article at best or a propaganda at worse.

  13. SuperMicro is going to mean by turp182 · · Score: 4, Funny

    SuperMicro is going to mean the number of customers they end up with.

    --
    BlameBillCosby.com
    1. Re:SuperMicro is going to mean by sjames · · Score: 3, Insightful

      Wait for the other shoe. It's not logical to think that the Chinese government ONLY had those outsource manufacturers alter Supermicro boards.

      Many other brands are likely affected.

  14. Seems pretty obvious by llamalad · · Score: 3, Insightful

    A strong argument against our government agencies actively backdooring stuff (cisco hardware, AES, key escrow, etc) and passively maintaining an arsenal of zero day exploits is that these things will be leaked or discovered independently and used by adversarial states against our companies and citizens.

    It's happened a bunch.

    Now some companies catch China doing it. They protect themselves, turn over the details to three-letter-agencies, and deny it ever happened so that the exploit can be added to the national arsenal of weaponized vulnerabilities.

    Good times.

  15. Who should I believe? by WaffleMonster · · Score: 1

    Please freak out and put all of your Supermicro shit up on eBay.

    I like Supermicro.

    1. Re:Who should I believe? by drinkypoo · · Score: 1

      I like Supermicro.

      Don't like security, eh?

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    2. Re:Who should I believe? by WaffleMonster · · Score: 1

      Don't like security, eh?

      Nope hate it. Put this insecure shit up on eBay where it belongs and don't expect much in the way of resale value for such "insecure" "junk". Obviously totally irrelevant IPMI is trivially disabled.

      Thank you for getting rid of your Supermicro gear.

  16. Of Course by Anonymous Coward · · Score: 0

    They are all aware of it. They all have known about it. They don't care as long as it stays out of the mainstream US media because they don't want to clean up the shit show.

  17. has any American who by Anonymous Coward · · Score: 0

    works for the Dept of Defense lost their job over this ?

    I mean, motherboard from china, great, install it in the nuclear launch backup servers....

  18. US wants to embargo itself by Jzanu · · Score: 1

    If the US really wants to embargo itself then so be it, you'll be left behind in every area of science and crawl back to trading as a junior partner within 5 years.

    1. Re:US wants to embargo itself by Crashmarik · · Score: 1

      If the US really wants to embargo itself then so be it, you'll be left behind in every area of science and crawl back to trading as a junior partner within 5 years.

      You mean the same way that happened during the cold war ?

      Not laughing with you, just at you.

    2. Re:US wants to embargo itself by Jzanu · · Score: 1

      No, you don't have German scientists to steal this time.

    3. Re:US wants to embargo itself by Crashmarik · · Score: 1

      No, you don't have German scientists to steal this time.

      We always have something to steal.

  19. Yup by Ryanrule · · Score: 1

    Time for China to be used only for resources, like Russia.

  20. this has been covered back in the 80's by onepoint · · Score: 1

    FYI, Analog wrote a 3 part series of this back in the 80's, it had a title of corporate warfare I think.

    but it's exactly that. 1 subsidiary installs the bug into the chip, another outfit installs the software that will trigger the chip to behave as coded, and another does the hack at the terminal to start the entire process of getting access into the systems.

    update, it might be august 1977's story cold cash war ... wow, I never new I read so many of these http://www.analogsf.com/about-...

    --
    if you see me, smile and say hello.
    1. Re:this has been covered back in the 80's by onepoint · · Score: 1

      yep they even made a book https://en.wikipedia.org/wiki/... ... it's the exact story enjoy you guys.

      --
      if you see me, smile and say hello.
  21. Refuted by Anonymous Coward · · Score: 0

    partially. Amazon and Apple deny any claims by this story. They also say thy are _not_ under any gag order about this.
    It seems there's a lot of bullshit here, let's wait for Supermicro and others to weigh in.

    Seems popular these days to invent blame on foreign governments, starting from Russians, now onto China.

  22. Fucking fake news by Pinky's+Brain · · Score: 0

    "In 2015, we were made aware of malicious manipulation of software"

    Facebook confirmed nothing you fucking morons ...

  23. Nuke Hong Kong FFS. by Anonymous Coward · · Score: 0

    It's the only reasonable response those slant-eyed bastards will ever respect. Theyve poisoned the worlds opiate supply. They need to be put in their place.

    NUKE CHINA.

  24. Thinking-Free Post by Anonymous Coward · · Score: 0

    Your zero thought post made a HUGE difference in everyones lives.