Posted by: Bixmoor

Bloomberg report on alleged Chinese hacking

A fascinating stand-off has developed in the United States as a result of a Bloomberg report on Chinese hacking into US industry.

Bloomberg reported on 4th October that a unit of the Chinese military – the PLA – had arranged the surreptitious installation of rogue chips into motherboards produced for Super Micro Computer Inc (Supermicro) of San Jose, California. The chips offered back door access into the motherboards.

Those motherboards found their way as expected into the products and systems of almost 30 US companies, including Amazon and Apple. Compromised equipment also appears to have been used by the Department of Defense, NASA and the Department of Homeland Security. This hostile initiative may even have compromised the Mormon Church and the US pornography industry.

Bloomberg cites sources who have reported that Amazon discovered the inserted chips and referred the case to US intelligence agencies. The suspect chips appear to have been programmed to allow unauthorized outside control and instruction of attached hardware and functions.

Bloomberg reports that Supermicro subcontracted the manufacture of the motherboards to companies in China. It says that at those Chinese companies, “plant managers were approached by people who claimed to represent Supermicro or who held positions suggesting a connection to the government. The middlemen would request changes to the motherboards’ original designs, initially offering bribes in conjunction with their unusual requests. If that didn’t work, they threatened factory managers with inspections that could shut down their plants”.

Most of the story appears quite credible, given evidence published about China’s previous adventures in the cyber world. However, this part of the story appears odd. If the PLA unit staff claimed to represent Supermicro, they wouldn’t need to bribe or threaten to change the specification. They would just give an order. If they claimed to represent the government, they would not threaten or bribe. They would give an order to the Chinese manufacturer to execute the instruction. However, they would give the order to the factory owner not the plant managers. This part of the report does not ring true. It sounds like the narrative of Westerners who don’t know how China works.

The reaction of  Amazon, Apple and Supermicro was to deny comprehensively the allegations in the report. The internet news channel Buzzfeed reported that it had spoken in confidence to several senior staff in the named companies and been met with universal rejection of the report. When asked, company spokesmen denied that they were being gagged or were lying to defend national security.

These claims and counter-claims make a stand-off in terms of spoken statement but with the knowledge that US technology companies do receive legal demands to acquiesce and not acknowledge government demands for silence.

It has been pointed out that such denials also occurred in 2013 when the US ‘Prism’ program of mass surveillance was exposed. Such companies were also asked if they had participated. They vehemently denied it but used contorted statements in almost identical terms which several observers felt meant they may have been constrained from telling the truth for national security reasons.

Bloomberg’s 4th October report was the culmination of a year of investigative journalism. Despite the strong denials, Bloomberg said that it stood by its journalists and their report. The company said that “Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews ….Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks”.

It does seem to fit quite well with the Trump administration’s willingness to stand up to China’s attacks on US national technology security. However, this may, for the moment, be taking place in private.

Congressman Chris Stewart of the House Intelligence Committee has called for the relevant US firms to be called to answer questions on this report.

We might almost see this incident as a justification and an explanation of the tightening of the US government’s position towards China. They may now have a positive preference for US companies to source their components from outside China.

As the Bloomberg report stated, “the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.””

The Trump administration may have decided that enough is enough. We are no longer arguing about cents on the dollar but about national security. Therefore, it is worth acting to change the supply chain. On this surmise, what has not happened yet is the open official verdict on the matter.

The reason for caution may be a residual desire to prod China into alignment on the denuclearization of North Korea. If China knows that the US knows about its activities against US tech companies but does not publicly state the situation, there is still the possibility of some cooperation.

Bixmoor is a primary bespoke research provider to business, governments and the financial community.