Govs around the world, including China & Russia, but also US and allies, conduct "supply chain attacks", where they insert hardware implants into servers and routers before they get shipped to surveillance targets, according to Snowden documents theintercept.com/2019/01/24/com…

In October Bloomberg published a widely-disputed story claiming China conducted supply chain attacks against Supermicro motherboards. While the specific story may be completely wrong, supply chain attacks definitely happen bloomberg.com/news/features/…

Our story, based on previous Snowden reporting, on docs that have previously been published but never analyzed, and on new docs we're publishing today, doesn't address Bloomberg's claims. But it's clear that the US takes seriously the threat from Chinese supply chain tampering

US intel found evidence that "China is capable of intrusions more sophisticated than those currently observed by U.S. network defenders" and China's BIOS attacks "reflects a qualitative leap forward in exploitation that is difficult to detect" (wiki from 2012)

US intel had discovered, and studied, BIOS malware from China (PLA) and Russia (MAKERSMARK). They also warned against AMI and Award BIOS firmware, saying they were "currently compromised". Both companies stated that BIOS security is much better today than in 2012

One document describes a supply chain attacks that France conducted in 2002 against Senegal, it's former colony ("by 2004 could access all the info processed by those systems"). Also attacks by Germany, and possibly by Israel against Iraq

As already reported, the US conducted a supply chain interdiction attack against Cisco routers getting delivered to Syria Telecom. Here's how that attack, and similar NSA attacks, work

NSA also conducted a supply chain attack against a surveillance target setting up a VoIP system for classified online phone calls

The US has diplomatic facilities, like embassasies and consulates, all around the world. It sometimes uses these facilities in "adversary space" to conduct supply chain operations

A division of NSA's elite hacking squad Tailored Access Operations (now known as Computer Network Operations) called the Persistent Division was tasked with actually developing NSA's firmware implants. A document describes some wild projects for Persistence Division interns

While supply chain attacks are real, and countries all over the world conduct them, it's important to remember that there are *much* easier ways to hack most organizations -- like spearphishing, or relying on people re-using their passwords

As @securelyfitz puts it, "The reality is that most organizations have plenty of vulnerabilities that don’t require supply chain attacks to exploit."