Hacked Supermicro system at USA telecom firm

Joanna Estrada
October 11, 2018

Both the US Department of Homeland Security and the UK's National Cyber Security Center have said they have no reason to doubt the denials from Apple and Amazon.

The companies named in the report quickly issued denials, and have since been joined by law enforcement and security services from the U.S. and beyond.

While Bloomberg notes that the Ethernet implant "is different from the one described in the Bloomberg Businessweek report last week", it argues that it shares "key characteristics" including the fact that the adjustment was made at a Super Micro factory and it was created to be invisible while extracting data.

While the hardware manipulation reported Tuesday is different from the one described last week, Bloomberg said they shared key characteristics, namely that they were both created to "give attackers invisible access to data on a computer network in which the server is installed".

Appleboum told Bloomberg that Supermicro isn't the only victim of Chinese tampering.

Appleboum said he has contacts in the USA intelligence community who pinpointed the origin of the compromised computer components as Guangzhou, the port city often hailed as the "Silicon Valley" of China. In response to the earlier Bloomberg Businessweek investigation, China's Ministry of Foreign Affairs didn't directly address questions about the manipulation of Supermicro servers but said supply chain security is "an issue of common concern, and China is also a victim".

On Tuesday, the media outlet behind the claims, Bloomberg, responded to growing criticism of its report by publishing a new, related story about how a "major United States telecommunications company" discovered a similar hardware hack in components from the computer manufacturer at the center of the story, Super Micro. But now the news outlet has another report citing that security expert Yossi Appleboum, who works as a contractor for a "major US" telecoms firm has said, on the record, that the claims in the original report are correct and that the company found a surveillance device implanted into the Ethernet port of one of its servers made by Supermicro.

Joyce appealed to anyone with knowledge of the alleged hardware tampering to contact officials in the NSA, DHS, or Federal Bureau of Investigation. On Monday, Apple sent a letter to Congress that again asserted in unambiguous language that no officials inside the company were ever aware of malicious hardware being used in any of its networks.

Now, one of the few named sources in the original story - Joe FitzPatrick, a hardware security expert, who is only quoted in relation to a hypothetical scenario where a piece of "hardware opens whatever door it wants" - says he highly doubts the report is accurate.

The criticism was still at full pitch on Tuesday morning when Bloomberg published its follow-up article.

The new story pointing to an Ethernet hack is clearly meant to act as support for the original story but since the details are so different, and given that the entire report is single-sourced, it has had the opposite effect among security experts who have started to doubt the credibility of the original story.

Appleboum didn't respond to requests for comment for this post.

"There are technical issues with both stories, but I think both are plausible", Jake Williams, a former NSA hacker who is now founder of Rendition Security, tweeted.

If the Bloomberg reporting is accurate, it has uncovered arguably the biggest hack of all time. Extraordinary claims require extraordinary proof. "That's the problem with the Chinese supply chain", he said. He added that he had "grave concerns about where this has taken us".

Other reports by Click Lancashire

Discuss This Article