The Supermicro Motherboard Hack Runs On
The controversy over a contested Bloomberg report that the Chinese military inserted malware into Supermicro motherboards subcontracted for manufacture in China continues.
Bloomberg has responded to widespread corporate denials of its story by US tech companies that are said to have been victims by producing a follow-up report alleging a similar insertion that has affected an unnamed US telecom company.
There are many interesting claims in the story. Of relevance to the initial report, the new report says that Chinese intelligence ordered subcontract manufacturers to insert unauthorized chips into motherboards for Supermicro of California.
This both corroborates and differs from the original report which claimed – rather implausibly – that the Chinese military – the PLA – pretended to be either Supermicro staff or government officials and either bribed or threatened plant managers with inspections to ensure the insertions.
As we said in our recent piece, this makes no sense. As the PLA, they would have declared who they were and ordered the action to take place. However, they would have ordered the company owners, not the plant managers.
This new story looks weak in two respects. It relies on one – named – source in internet security, namely Yossi Appleboum, co-CEO of security consultant Sepio Systems. Single-sourced stories tend to lack credibility, even more so when the single source is from a security company that partly relies on fears over cybersecurity breaches to generate business.
On the other hand, there is now a named source who was either previously an anonymous source or is a fresh source in substantiating the initial story, as well as offering a new one. Furthermore, on Appleboum’s board and advisory board are Tamir Pardo, former head of Mossad, the hyper-active Israeli intelligence service, and Robert Bigman, former head of information security for the CIA. These links lend some credibility to Mr Appleboum’s statements.
On 9th October it was reported on one website that one of the few sources named by Bloomberg in the original report – Joe Fitzpatrick – later expressed some discomfort about the use of his responses in the report. However, it is not clear that his citation was fundamental to the story. What is more worrying is the suggestion that his theorizing may have been turned into an anonymous source’s hard evidence. That would make the original report less grounded.
Another recent development is that British intelligence agency GCHQ made an announcement straight after the Bloomberg report and the subsequent denials, saying “We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple.”
Why did GCHQ think their comment was required on a US-China story? Were they asked to weigh in by someone? Their statement is so half-hearted it was scarcely worth giving.
The South China Morning Post in Hong Kong interviewed several experts in China’s technology industry. The prevailing view was that they didn’t think the capability existed in the country to exercise the reported degree of sophistication. Chips are a known deficiency in China’s national armory.
For this reason, over 80 per cent of chips in China are imported. According to Beijing, over 95 per cent of the high-quality sort used in servers and computers are imported. As is well known, China’s chip technology is still at a low level of development. Could the PLA really create a chip the size of a pencil tip which had the damaging capabilities cited?
On the other hand, Huawei recently brought out a mobile telephone chip based on the 7-nanometre fabrication process technology of the Taiwanese, which has 6.9 billion transistors in an area of less than a square centimeter. Could there be advances in technology in state institutions which are deemed better kept confidential as they have national security application?
The two sides seem currently very entrenched and digging in further. It is possible that Bloomberg has been hoodwinked by parties in Washington keen to encourage a sharp reorientation of the tech industry’s supply chain away from China on national security grounds even if the particular incidents cited are overblown.
On the other hand, there may be sufficient perceived risk and vulnerability to the tech industry, national defense and the country as a whole that at a very senior level it has been decided to try to obscure the whole situation while conducting damage control.