The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

**anatta** · 10-04-2018, 01:41 PM

the attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
https://www.bloomberg.com/news/featu...usinessweek-v2

.........To help with due diligence, AWS, which was overseeing the prospective acquisition, hired a third-party company to scrutinize Elemental’s security, according to one person familiar with the process.
The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression.
These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small.
In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test, the person says.

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design.
Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines.
Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

This attack was something graver than the software-based incidents the world has grown accustomed to seeing.
Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.

China, which by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs.
Still, to actually accomplish a seeding attack would mean developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location—a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle.
“Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” says Joe Grand, a hardware hacker and the founder of Grand Idea Studio Inc. “Hardware is just so far off the radar, it’s almost treated like black magic.”

But that’s just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.

.................more

**anatta** · 10-04-2018, 01:51 PM

https://www.bloomberg.com/toaster/v2...ideTitles=true

just about all computerized devices on the planet, from wrist-worn step-tracking gadgets to supercomputers that crunch U.S. intelligence data, participate in a complex supply chain honed over decades. Tiny circuits, pieces of glass, wiring, computer chips and many more parts are designed, built, combined, recombined and retrofitted in multiple steps by multiple companies, contractors and subcontractors in multiple countries.

It takes a global village to make computers and gadgets. Bloomberg data count 50 different suppliers just for Hewlett Packard Enterprise Co., the company that makes computer servers, digital-data storage machines and other essential gear used by corporations and governments. That figure likely undercounts all the hands involved in making computer gear. A corporate computing data center might have equipment sold by dozens of manufacturers, which all have similarly complex networks of parts and software suppliers, manufacturers, assemblers, testers and contractors.

Every technologist and spy knows this global supply chain is necessary but also potentially vulnerable. Somewhere along the chain, malicious actors can find ways to infiltrate the system to insert bugs or de facto spying devices. And according to Bloomberg Businessweek, that’s exactly what operatives of China’s military did to the kinds of circuit boards that made their way into the digital networks of entities including Amazon, Apple and the U.S. Department of Defense. (The companies mentioned in the Bloomberg Businessweek article disputed summaries of the reporting. Their full comments, and those from a Chinese foreign ministry spokesperson, are published here.)

The supply chain attack could have siphoned corporate secrets and government information while leaving few fingerprints. It’s the most insidious kind of digital spying imaginable, and some of the savviest tech minds in the world haven’t yet found a reliable way to sniff out the hardware-infiltration attacks, according to the Bloomberg Businessweek reporting. And worse, I’m not sure what, if anything, could be done to prevent this kind of snooping.

. Over the decades, companies in China, Taiwan, the U.S., Vietnam and elsewhere in the world have developed specialization at discrete steps in manufacturing or assembly for computing equipment. It would takes years and support from the U.S. government to replicate that specialization entirely in the U.S. or other countries that American companies and the government trust.

If so, this dovetails with the White House, which wants to wean the country off reliance on Chinese factories and suppliers. That desire is at the heart of the U.S.’s continuing trade fight with China. Now, technologists and U.S. trade hawks have a common but perhaps impossible mission: reverse decades of globalization in computing to try to prevent damaging attacks.

***Phantasmal*** · 10-04-2018, 01:56 PM

You care about China, but not Russia, why is that?

**Stretch** · 10-04-2018, 02:01 PM

The supply chain attack could have siphoned corporate secrets and government information while leaving few fingerprints. It’s the most insidious kind of digital spying imaginable, and some of the savviest tech minds in the world haven’t yet found a reliable way to sniff out the hardware-infiltration attacks, according to the Bloomberg Businessweek reporting. And worse, I’m not sure what, if anything, could be done to prevent this kind of snooping.

Over the decades, companies in China, Taiwan, the U.S., Vietnam and elsewhere in the world have developed specialization at discrete steps in manufacturing or assembly for computing equipment. It would takes years and support from the U.S. government to replicate that specialization entirely in the U.S. or other countries that American companies and the government trust.

If so, this dovetails with the White House, which wants to wean the country off reliance on Chinese factories and suppliers. That desire is at the heart of the U.S.’s continuing trade fight with China. Now, technologists and U.S. trade hawks have a common but perhaps impossible mission: reverse decades of globalization in computing to try to prevent damaging attacks.

****************

And, it wasn't always "snooping". Some if not most over decades has been by direct teaching and aiding. The students are now sticking it to the teacher.

**anatta** · 10-04-2018, 02:03 PM

Originally Posted by Phantasmal

You care about China, but not Russia, why is that?

I care about Russia but Russian hacking is child's play. China engages in all kids of state sponcered espionage.

From Confucian Universities, to industrial R&D theft to IP theft, as well as traditional spying like Russia.

The size and scope of Chinese espionage dwarfs Russia,much like their economy dwarfs Russia's