Last Thursday, a Bloomberg article broke the news and exposed the latest hack targeting big tech companies among which are Apple and Amazon. This time around, it is not the Russians that are the alleged perpetrators but the Chinese People’s Liberation Army (PLA). This hack is not a surprise in terms of the alleged perpetrator or the victim of the attack but rather because of the method used by the attackers: the supply chain of their victims.

awsjpg.jpg (1200×667) Originally, the vulnerability was discovered when Amazon audited Elemental, a company active in data compressing techniques and servers, before its acquisition in 2015. The attackers did not target the companies directly but via an intermediary: Super Micro Computers, a San Jose based motherboard manufacturer. Super Micro designs its boards in the US but outsources their production to subcontractors in China like many other US hardware manufacturers. This is where the boards have been added a tiny microchip, thinner than a grain of rice. The infected motherboards would then be assembled into complete servers and delivered to customers worldwide.

Among the end-users of those infected servers were Apple, Amazon and even the US military. To put into perspective the gravity of the attack in simplified terms, the microchips can manipulate the instructions of the operating system when they transit between the RAM and the CPU of the infected server. This allows a remote attacker to intercept logins and passwords to the infected machine and therefore have access to its content. This tampering leaves critical data of Supermicro’s customers vulnerable to the PLA’s intelligence officers.

ap_781959487134-1.jpg (1024×672)

Hardware attacks are quite common for targeted intelligence gathering, but they are usually done after the final product has left the factory and is en route to its final user. Among the Snowden leaks, lays a catalog that details the hardware attack angles an American intelligence officer had in 2008 to target networks and specified computers of foreign companies and governments. This historic perspective shows that this case not an isolated event but a worrying development for businesses and consumers of a lasting issue; the collateral damage of cyberwarfare.

To sum up, the main story of the article and this historic example highlight the strong necessity of control of all the actors on the supply chain, from the designer to the final customer to maintain critical infrastructure out of harm’s way. Trust along the supply chain is gone, and hardware manufacturers will need to improve and differentiate themselves by including extensive audits in the hardware they sell or use.


Bernhard Bieri


Sources (images and articles)