Supermicro spy chips, the sequel: It really, really happened, and with bad BIOS and more, insists Bloomberg

Server maker says latest article is 'a mishmash of disparate allegations'

Following up on a disputed 2018 claim in its BusinessWeek publication that tiny spy chips were found on Supermicro server motherboards in 2015, Bloomberg on Friday doubled down by asserting that Supermicro's products were targeted by Chinese operatives for over a decade, that US intelligence officials have been aware of this, and that authorities kept this information quiet while crafting defenses in order to study the attack.

"China’s exploitation of products made by Supermicro, as the US company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter," states Bloomberg in its report, said to rely on interviews with more than 50 sources, mostly unnamed, in government and the private sector.

The article – a follow-on to BusinessWeek's 2018 spy chip bombshell – cites three specific incidents: the 2010 discovery by the Defense Department that thousands of its computers were sending military network data to China due to code hidden in chips that handle the server startup process; Intel's discovery in 2014 that a Chinese hacking group penetrated its network via a server that fetched malware from an unidentified supplier's update site; and a 2015 warning issued by the FBI to multiple companies that Chinese agents had hidden an extra chip with backdoored code on one manufacturer's servers.

In other words, Bloomberg has expanded its claim that chips containing malicious spyware were added to Supermicro server motherboards, to also include claims of malicious alterations to BIOS-level software to load and run surveillance code hidden in firmware, and to include alleged attacks on other vendors.

Beijing blues

According to Bloomberg, the common threads in these incidents are China, Supermicro, and unspecified discoveries by "US spymasters," that were not widely disclosed.

The report goes on to claim that an FBI counterintelligence operation began in 2012, in which warrants under the Foreign Intelligence Surveillance Act were obtained to surveil a set of Supermicro employees. But the story further says that while it's unclear whether this investigation remains ongoing, the Feds began working with people in the private sector to analyze these purported spy chips that had been secreted onto circuit boards.

The scenario is not entirely implausible to some in the security industry. "In the hierarchy of cyber attack techniques preferred by intelligence agencies, the highest levels attacks are those that are persistent even when machines are turned off and software is reloaded," said Alan Paller, director of research at the SANS Institute and president of the SANS Technology Institute, in an email to The Register. "A malicious chip is the simplest solution. Simple solutions work."

After all, even the NSA ran its own chop shops, adding backdoors to IT gear as it was shipped across the world.

Supermicro, as you might expect, has dismissed today's story in a lengthy statement. It said in part:

Bloomberg’s story is a mishmash of disparate and inaccurate allegations that date back many years. It draws farfetched conclusions that once again don’t withstand scrutiny. In fact, the National Security Agency told Bloomberg again last month that it stands by its 2018 comments and the agency said of Bloomberg’s new claims that it 'cannot confirm that this incident—or the subsequent response actions described—ever occurred.' Despite Bloomberg’s allegations about supposed cyber or national security investigations that date back more than 10 years, Supermicro has never been contacted by the US government, or by any of our partners or customers, about these alleged investigations.

To date, no one has presented any public evidence these spy chips exist: no one's pointed at board and told the world, there, that's the spy chip. And many respected security mavens, including Google's Tavis Ormandy have expressed deep skepticism of Bloomberg's claims. Then there are the denials issued two years ago that Supermicro cites in its statement, from then-Director of National Intelligence Dan Coats, and FBI Director Christopher Wray. Apple and Amazon played down any suggestion that Supermicro systems infected with surveillance chips made it into production.

Yet the Bloomberg report today does provide a named source, Mukul Kumar, who as chief security officer for FPGA designer Altera claims to have learned of such a spy chip during an unclassified briefing. “This was espionage on the board itself," he is quoted as saying. "There was a chip on the board that was not supposed to be there that was calling home — not to Supermicro but to China."

The Register spoke with a former executive at a major semiconductor company who asked not to be named, about the plausibility that the subverted silicon cited in the Bloomberg report might exist and we were surprised to find that he found it credible.

"I have physically held evidence in my hands," he said with regard to the existence of compromised hardware. "I have seen it from multiple governments."


Decoding the Chinese Supermicro super spy-chip super-scandal: What do we know – and who is telling the truth?


China, Israel, and the UK have excelled at these operations, he said, with France, Germany, and Russia also involved but, in his view, somewhat less capable in terms of hardware subversion.

Such attacks absolutely do happen, our source said, adding that there are government contracts seeking to study subverted hardware attacks so they can be replicated and improved upon. However, they're generally not directed at the public, he said. Rather they're focused on obtaining access to critical systems, on developing durable national security assets.

If a Chinese chip has indeed been identified, he said, then those involved in the operation messed up by not spending the resources to hide it better.

Software attacks are easier, he said, but they're also easier to inspect. The complexity of hardware makes implants harder to find. In modern cell phone chips, for example, he said, you can implant silicon in the circuit board and then add chips on top of that to make the alteration less obvious.

"If you create something that should not be there, the x-ray inspector can discover it," he said. "But if it's changing the shape and size of existing silicon slightly, that's harder to inspect. It's not difficult to add a little circuitry and have no material difference in observability."

"It's important to have an awareness of the kinds of things that happen in order to motivate industry to make changes and ultimately keep people safe," our source said.

The Register asked Supermicro whether it is considering litigation against Bloomberg. A spokesperson for the company was non-committal, saying only that the manufacturer is reviewing the story and considering its options. ®

Broader topics

Other stories you might like

  • New York City rips out last city-owned public payphones
    Y'know, those large cellphones fixed in place that you share with everyone and have to put coins in. Y'know, those metal disks representing...

    New York City this week ripped out its last municipally-owned payphones from Times Square to make room for Wi-Fi kiosks from city infrastructure project LinkNYC.

    "NYC's last free-standing payphones were removed today; they'll be replaced with a Link, boosting accessibility and connectivity across the city," LinkNYC said via Twitter.

    Manhattan Borough President Mark Levine said, "Truly the end of an era but also, hopefully, the start of a new one with more equity in technology access!"

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    We'll see you around the Block

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022