12 Feb 2021
Bloomberg is resurrecting the Super Micro spy chip story it first ran in 2018. The original story was met with blanket and unambiguous denials from everyone from Apple to the NSA
9to5mac.com/2021/02/12/sup…
Bloomberg is resurrecting the Super Micro spy chip story it first ran in 2018. The original story was met with blanket and unambiguous denials from everyone from Apple to the NSA
9to5mac.com/2021/02/12/sup…
Today’s update claims that spy chips were found in Super Micro servers at the US Department of Defense
October 2018
Bloomberg published a report claiming that companies including Amazon & Apple found Chinese surveillance chips in their server hardware contracted from Super Micro
October 2018
Bloomberg published a report claiming that companies including Amazon & Apple found Chinese surveillance chips in their server hardware contracted from Super Micro
Apple found these chips on its server motherboards in 2015. Apple is strongly refuting this report, sending out press statements to several publications, not just Bloomberg.
Apple said, “We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed.”
The Department of Homeland Security denied the claim. One of Bloomberg’s sources told them the story made no sense. The NSA added its denial. A deep-dive analysis found the claims to be impossible. A Super Micro audit found no spy chips.
12 Feb 2021
Bloomberg ran a new report
In 2010, the US Department of Defense found thousands of its computer servers sending military network data to China, the result of code hidden in chips that handled the machines’ startup process
[Bloomberg article]
bloomberg.com/features/2021-…
Bloomberg ran a new report
In 2010, the US Department of Defense found thousands of its computer servers sending military network data to China, the result of code hidden in chips that handled the machines’ startup process
[Bloomberg article]
bloomberg.com/features/2021-…
In 2014, Intel Corp. discovered that an elite Chinese hacking group breached its network through a single server that downloaded malware from a supplier’s update site.
In 2015, the Federal Bureau of Investigation warned multiple companies that Chinese operatives had concealed an extra chip loaded with backdoor code in one manufacturer’s servers.
Each of these distinct attacks had two things in common: China and Super Micro Computer Inc.
Each of these distinct attacks had two things in common: China and Super Micro Computer Inc.
Super Micro has again denied the report.
In response to detailed questions, Supermicro said it has “never been contacted by the U.S. government, or by any of our customers, about these alleged investigations.”
In response to detailed questions, Supermicro said it has “never been contacted by the U.S. government, or by any of our customers, about these alleged investigations.”
The company said Bloomberg had assembled “a mishmash of disparate and inaccurate allegations” that “draws farfetched conclusions.” Federal agencies, including those described in this article as conducting investigations, still buy Supermicro products, the company said.
With additional reporting, it’s now clear that the Businessweek report captured only part of a larger chain of events in which U.S. officials first suspected, then investigated, monitored and tried to manage China’s repeated manipulation of Supermicro’s products.
“In early 2018, two security companies that I advise were briefed by the FBI’s counterintelligence division investigating this discovery of added malicious chips on Supermicro’s motherboards,” said Mike Janke, a former Navy SEAL who co-founded DataTribe, a venture capital firm.
“These two companies were subsequently involved in the government investigation, where they used advanced hardware forensics on the actual tampered Supermicro boards to validate the existence of the added malicious chips”
“This was espionage on the board itself,” said Mukul Kumar, who said he received one such warning during an unclassified briefing in 2015 when he was the chief security officer for Altera Corp., a chip designer in San Jose.
“There was a chip on the board that was not supposed to be there that was calling home—not to Supermicro but to China”
Mike Quinn, a cybersecurity exec, said he was briefed about added chips on Supermicro motherboards by officials from the USAF. Quinn was working for a company that was a potential bidder for Air Force contracts, & officials wanted to ensure any work wouldn't include Supermicro
Bloomberg acknowledges the US government denials of its original coverage, and says that the NSA remains befuddled by the claims.
After the Oct 2018 article, officials for the U.S. Department of Homeland Security, the FBI, the Office of the Director of National Intelligence and the NSA made public statements either discounting the report’s validity or saying they had no knowledge of the attack as described.
The NSA said at the time it was “befuddled” by Bloomberg’s report and was unable to corroborate it; the agency said last month that it stands by those comments.
15 Feb 2021
Matt Tait, a former cybersecurity specialist at GCHQ, now a senior cybersecurity fellow at the Robert S. Strauss Center for International Security and Law at UT Austin, and his CV also includes Google’s cybersecurity team, Project Zero.
9to5mac.com/2021/02/15/blo…
Matt Tait, a former cybersecurity specialist at GCHQ, now a senior cybersecurity fellow at the Robert S. Strauss Center for International Security and Law at UT Austin, and his CV also includes Google’s cybersecurity team, Project Zero.
9to5mac.com/2021/02/15/blo…
He tweeted [@ pwnallthethings]
Oh man, guess we have to do supermicro chip saga again. tl;dr is a source misunderstood an FBI defensive briefing on China’s supply chain activities, leaked it to the press.
Oh man, guess we have to do supermicro chip saga again. tl;dr is a source misunderstood an FBI defensive briefing on China’s supply chain activities, leaked it to the press.
Bloomberg has again failed to do the work necessary to verify the sensational claims, because they mistake impressive credentials with domain expertise.
He says that although there are some impressive-sounding sources in the piece, absolutely none of them has any first-hand knowledge – and many of them aren’t likely to be qualified to validate the claims they have heard.
Tait acknowledges that some of the claims have a reasonable basis for reporting. Even without evidence, the fact that credible people are saying they were briefed on something is worth noting.
He ends by challenging Bloomberg to provide actual evidence.
He ends by challenging Bloomberg to provide actual evidence.
This story is too big, and the refutations too blunt and too numerous to support on this level of third- and fourth-hand sourcing. If they have documents: go for it. Make fools of Apple, Amazon, FBI, NSA, DHS and ODNI by publishing them. Otherwise, this story should not have run.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
