A major US telecommunications company found "manipulated" hardware from Super Micro Computer Inc. in its network in August - bolstering claims in a Bloomberg report last week alleging that China installed bugging devices on hardware bought by Apple, Amazon and a host of other companies.
According to a new report by Bloomberg, the unnamed telecom company hired former Israeli Intelligence Corps security expert Yossi Appleboum, now of Maryland-based Sepio Systems, who provided "documents, analysis and other evidence of the discovery" following last week's report detailing how China's intelligence agencies had ordered subcontractors to install malicious chips in Super Micro motherboards between 2013 and 2015.
Sepio Systems' board includes former Mossad director, Tamir Pardo, and its advisory board includes former CIA chief information security officer Robert Bigman.
Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company.
Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that's used to attach network cables to the computer, Appleboum said. -Bloomberg
Appleboum says that Super micro "is a victim -- so is everyone else," and that he has seen "similar manipulations of different vendors' computer hardware made by contractors in China," according to Bloomberg. He adds that his concern is that there are numerous points in the supply chain in China where hardware can be manipulated - which are virtually impossible to track down. "That's the problem with the Chinese supply chain," said Appleboum.
Based on his inspection of the device, Appleboum determined that the telecom company's server was modified at the factory where it was manufactured. He said that he was told by Western intelligence contacts that the device was made at a Supermicro subcontractor factory in Guangzhou ... The tampered hardware was found in a facility that had large numbers of Supermicro servers, and the telecommunication company's technicians couldn’t answer what kind of data was pulsing through the infected one, said Appleboum, who accompanied them for a visual inspection of the machine.
The manipulation of the Ethernet connector appeared to be similar to a method also used by the U.S. National Security Agency, details of which were leaked in 2013. In e-mails, Appleboum and his team refer to the implant as their “old friend,” because he said they had previously seen several variations in investigations of hardware made by other companies manufacturing in China. -Bloomberg
In response to the new evidence, Supermicro said in a statement: "The security of our customers and the integrity of our products
are core to our business and our company values. We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry. We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found. We are dismayed that Bloomberg would give us only limited information, no documentation, and half a day to respond to these new allegations."
Shares of Super Micro dropped as much as 27% in Tuesday trading, and are down approximately 45% since October 3, before the initial Bloomberg story hit the next day.
Super Micro strongly refuted the initial Bloomberg report, while both US and UK intelligence officials put out statements over the last several days in support of Amazon, Apple and Super Micro - who say it never happened.
As Bloomberg notes - the new manipulation is different from the one described last week, however it shares key characteristics: "They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China."
Appleboum said that he's consulted with intelligence agencies outside the U.S. that have told him they've been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time. In response to the Bloomberg Businessweek story, the Norwegian National Security Authority said last week that it had been "aware of an issue" connected to Supermicro products since June. It couldn’t confirm the details of Bloomberg's reporting, a statement from the authority said, but it has recently been in dialogue with partners over the issue. -Bloomberg
Manipulated hardware is extremely difficult to detect, which as led intelligence agencies around the world to invest billions of dollars in such sabotage. The United States is known to have implemented extensive programs to "seed technology headed to foreign countries with spy implants," according to revelations by former CIA employee Edward Snowden - however China now appears to be sneaking their own versions onto hardware made within their borders.
Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio's software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals -- such as power consumption -- that can indicate the presence of a covert piece of hardware. -Bloomberg
The goal of the spy implants is to establish a "covert staging area" within sensitive networks, which is what Appleboum says was happening in the new case. Once the implant was identified and the server removed, Sepio's tream was unable to perform further analysis on the chip.
One problem, according to national security experts, is that in a cybersecurity industry approaching $100 billion in revenue, very little effort has been made to inspect and detect hardware tampering. This has allowed intelligence agencies around the world to manipulate hardware virtually unfettered.