Bloomberg is resurrecting the Super Micro spy chip story it first ran in 2018. The original story was met with blanket and unambiguous denials from everyone from Apple to the NSA
Today’s update claims that spy chips were found in Super Micro servers at the US Department of Defense
October 2018
Bloomberg published a report claiming that companies including Amazon & Apple found Chinese surveillance chips in their server hardware contracted from Super Micro
Apple found these chips on its server motherboards in 2015. Apple is strongly refuting this report, sending out press statements to several publications, not just Bloomberg.
Apple said, “We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed.”
The Department of Homeland Security denied the claim. One of Bloomberg’s sources told them the story made no sense. The NSA added its denial. A deep-dive analysis found the claims to be impossible. A Super Micro audit found no spy chips.
12 Feb 2021
Bloomberg ran a new report
In 2010, the US Department of Defense found thousands of its computer servers sending military network data to China, the result of code hidden in chips that handled the machines’ startup process
In 2014, Intel Corp. discovered that an elite Chinese hacking group breached its network through a single server that downloaded malware from a supplier’s update site.
In 2015, the Federal Bureau of Investigation warned multiple companies that Chinese operatives had concealed an extra chip loaded with backdoor code in one manufacturer’s servers.
Each of these distinct attacks had two things in common: China and Super Micro Computer Inc.
Super Micro has again denied the report.
In response to detailed questions, Supermicro said it has “never been contacted by the U.S. government, or by any of our customers, about these alleged investigations.”
The company said Bloomberg had assembled “a mishmash of disparate and inaccurate allegations” that “draws farfetched conclusions.” Federal agencies, including those described in this article as conducting investigations, still buy Supermicro products, the company said.
With additional reporting, it’s now clear that the Businessweek report captured only part of a larger chain of events in which U.S. officials first suspected, then investigated, monitored and tried to manage China’s repeated manipulation of Supermicro’s products.
“In early 2018, two security companies that I advise were briefed by the FBI’s counterintelligence division investigating this discovery of added malicious chips on Supermicro’s motherboards,” said Mike Janke, a former Navy SEAL who co-founded DataTribe, a venture capital firm.
“These two companies were subsequently involved in the government investigation, where they used advanced hardware forensics on the actual tampered Supermicro boards to validate the existence of the added malicious chips”
“This was espionage on the board itself,” said Mukul Kumar, who said he received one such warning during an unclassified briefing in 2015 when he was the chief security officer for Altera Corp., a chip designer in San Jose.
“There was a chip on the board that was not supposed to be there that was calling home—not to Supermicro but to China”
Mike Quinn, a cybersecurity exec, said he was briefed about added chips on Supermicro motherboards by officials from the USAF. Quinn was working for a company that was a potential bidder for Air Force contracts, & officials wanted to ensure any work wouldn't include Supermicro
Bloomberg acknowledges the US government denials of its original coverage, and says that the NSA remains befuddled by the claims.
After the Oct 2018 article, officials for the U.S. Department of Homeland Security, the FBI, the Office of the Director of National Intelligence and the NSA made public statements either discounting the report’s validity or saying they had no knowledge of the attack as described.
The NSA said at the time it was “befuddled” by Bloomberg’s report and was unable to corroborate it; the agency said last month that it stands by those comments.
15 Feb 2021
Matt Tait, a former cybersecurity specialist at GCHQ, now a senior cybersecurity fellow at the Robert S. Strauss Center for International Security and Law at UT Austin, and his CV also includes Google’s cybersecurity team, Project Zero.
He tweeted [@ pwnallthethings]
Oh man, guess we have to do supermicro chip saga again. tl;dr is a source misunderstood an FBI defensive briefing on China’s supply chain activities, leaked it to the press.
Bloomberg has again failed to do the work necessary to verify the sensational claims, because they mistake impressive credentials with domain expertise.
He says that although there are some impressive-sounding sources in the piece, absolutely none of them has any first-hand knowledge – and many of them aren’t likely to be qualified to validate the claims they have heard.
Tait acknowledges that some of the claims have a reasonable basis for reporting. Even without evidence, the fact that credible people are saying they were briefed on something is worth noting.
He ends by challenging Bloomberg to provide actual evidence.
This story is too big, and the refutations too blunt and too numerous to support on this level of third- and fourth-hand sourcing. If they have documents: go for it. Make fools of Apple, Amazon, FBI, NSA, DHS and ODNI by publishing them. Otherwise, this story should not have run.
The defense contractor investigated in 2012 after cellphone videos surfaced of its employees drunk and high on drugs in Afghanistan may have misused almost $135 million of U.S. taxpayer money, an audit finds.
A financial audit done on behalf of the independent Special Inspector General for Afghanistan Reconstruction (SIGAR) alleges Imperatis Corp, formerly Jorge Scientific Corp, couldn’t produce docs to show payments to a subcontractor were allowed under its contract w/ the Army
The IG report, released in April, said either Imperatis should produce the appropriate documents “to demonstrate that the costs invoiced and paid were allowable…” or refund the money to government.
Before the 2016 election, a longtime Republican opposition researcher mounted an independent campaign to obtain emails he believed were stolen from Hillary’s private server.
In conversations with members of his circle and with others he tried to recruit to help him, the GOP operative, Peter W. Smith, implied he was working with retired Lt. Gen. Mike Flynn, at the time a senior adviser to then-candidate Donald Trump.
“He said, ‘I’m talking to Michael Flynn about this—if you find anything, can you let me know?’” said Eric York, a computer-security expert from Atlanta who searched hacker forums on Mr. Smith’s behalf for people who might have access to the emails.
Norwegian police said on Friday they have ended a year-long probe into the disappearance of a Dutch cybersecurity expert, concluding he "most likely" died in an accident.
Arjen Kamphuis was last seen 20 Aug 2018, when checking out from a hotel in Bodoe, just north of the Arctic Circle. A few days later, a kayak with a hole in the hull and an oar were found on the shore of the fjord, as well as some other personal items.
Those circumstances and his work, which involved advising governments, firms, journalists and activists groups on how to prevent hacking attacks, fueled speculation of possible foul play.
One of his clients was the anti-secrecy organization WikiLeaks.
A former German secret service agent charged with treason has admitted to spying for the CIA, telling a court he had done so out of dissatisfaction with his job.
“No one trusted me with anything at the Federal Intelligence Service (BND). At the CIA it was different,” Markus Reichel told a Munich court at the opening of his trial.
Reichel’s case emerged during a furore over revelations of widespread US spying, revealed by former CIA intelligence contractor Edward Snowden, which has also sunk its partner service the BND into an unprecedented crisis.
A Russian defector has claimed the MI6 spy who was found dead in a padlocked holdall in his bath in Pimlico was “exterminated” by Russian intel agents because he refused to become a double agent and knew the ID of a Kremlin spy inside GCHQ.
Codebreaker Gareth Williams was found dead at his home in 2010. He had been a cipher expert at GCHQ but was on secondment to MI6 when he died.
His death was likely a “criminally mediated” unlawful killing, though it was “unlikely” to be satisfactorily explained.
Police investigating Williams’ death suggested he had died as the result of a sex game gone wrong.
But a defector, Boris Karpichkov claims intelligence sources in Russia have admitted the MI6 spy was killed by the SVR, the current incarnation of the KGB.
A computer scientist has complained that he was propositioned by the Dutch secret service to lead a new team of nation-state hackers and spy on Dutch citizens and other hackers abroad.
Buro Jansen & Janssen has interviewed an independent Dutch security researcher who claims that he was tracked down and offered a job by the Dutch General Intelligence and Security Service, which is also known as AIVD (Algemene Inlichtingen- en Veiligheidsdienst).
The man runs several Tor exit nodes for research purposes and is a Delft Tech alumnus. He was at a gym having a drink in early Jan 2017 when he was approached by a man & woman, who told him that they worked for AIVD & produced badges representing the Ministry of Internal Affairs