Bloomberg Businessweek on Thursday reported on a three-year investigation into computer hardware compromised with spy chips by Chinese military hackers.
The full report is lengthy, some of the details remain classified since the investigation is still ongoing, and many particulars of the report are contested by the American companies involved. Following is a summary of the most important elements of the “Big Hack” story.
Length of the investigation: According to U.S. government sources, intelligence officials warned the Obama White House in 2014 that Chinese military cyber-espionage teams were trying to insert spy chips into motherboards used by a computer company called Supermicro. Security consultants retained by Amazon.com discovered suspicious chips in 2015 on computers Supermicro assembled for a third company called Elemental Technologies.
Number of companies involved: The scale of the operation described by the report is vast indeed. Multiple circuit board manufacturers in China were allegedly bribed or coerced by the People’s Liberation Amry to participate. Supermicro is a top supplier of computer products to many other companies. Bloomberg Businessweek reported the U.S. government believes almost 30 companies were involved altogether.
Government agencies involved: The report stated government purchasers of Supermicro computers include the Defense Department, the U.S. Navy, the Department of Homeland Security, NASA, and both houses of the U.S. Congress. On Friday, Australia’s Department of Defense and Bureau of Meteorology revealed they have also purchased Supermicro computers. The report did not claim all of the computers sold by Supermicro were compromised.
Number of computers involved: The computers involved in the hack are powerful servers, not personal desktop computers, so while the exact number is difficult to estimate from the information presented, it would not encompass millions of PCs and laptops.
The story at one point mentions Apple replacing 7,000 Supermicro servers (for what Apple described as a malware problem on Friday, conceding that security issues were found but still denying the massive corruption of hardware reported by Bloomberg).
Facebook also responded to the Bloomberg piece on Friday by saying a “limited number” of computers used for “testing purposes confined to our labs” were found to have compromised firmware in 2015.
From these accounts, it is possible ten or twenty thousand servers were compromised across the 30 or so companies referenced in the Bloomberg Businessweek report. The report did not disclose the information needed to produce a better estimate, such as who the buyers were and how many servers they employ. The important thing to remember is that these computers are servers, which means a hardware hack of their operating systems could potentially compromise a great deal of the information flowing through each network they serve.
Amount of data stolen: The report includes some hopeful speculation that the hack was not fully activated and no damage was done, although it seems very difficult to be certain of that.
How the hack works: This is the most complicated and technical topic in the report, and the description given by Bloomberg’s sources was not comprehensive. The Register dug deep into the report on Thursday and quoted experts who theorized the hack would allow intruders to control the information flowing into the computer’s master chip, the CPU. This would give them access to the computer’s processing at such a basic level that nearly all security measures would be useless. The hackers could disable any security software that got in their way.
Professor Nicholas Weaver of Berkeley’s International Computer Science Institute told the Verge on Thursday it would be a “god mode” hack that would be almost impossible to detect or prevent unless the hackers made some crucial mistakes along the way. It would also require an enormous degree of skill and patience to exploit the vulnerable CPU.
How to neutralize the hack: Some security experts said the best bet for detecting and nullifying the hack would be watching for odd network traffic coming from the compromised computers and seeking out remote systems operated by the hackers. The Bloomberg report implied this technique might have already been used by U.S. government investigators.
The larger question would be how American corporate and government computer customers can keep hardware hacks out of there offices. The early prognosis from computer experts was grim.
Wired noted that detecting hardware hacks is incredibly difficult and simply beyond the capabilities of smaller companies, as the spy chips are tiny and sometimes sandwiched inside fiberglass circuit boards, making them detectable only by X-ray. Insulating the entire computer supply chain from hardware hacks is essentially impossible.
Much of the manufacturing is done in China and components are shipped around the world as they are assembled into circuit boards and full computer systems. Security experts professed themselves shocked and alarmed that an attack on the computer supply chain appears to have occurred already; they previously viewed it as a disturbing theoretical possibility that could still be years away.
Effect on computer companies: Supermicro stock tumbled by almost 50 percent by Friday, while Apple and Amazon, the two largest Supermicro clients mentioned in the Bloomberg report, were down slightly as well.
Growing apprehension about all Chinese computer products caused ripples in the market after the Bloomberg Businessweek report was published. Hong Kong-based Lenovo, which has some facilities in mainland China, saw its shares drop by over 15 percent on Friday even though it issued a statement that it does not use Supermicro products.
Chinese telecom manufacturer ZTE was down 11 percent on Friday, a slump also linked to the Bloomberg report. ZTE’s products were classified as security risks by a U.S. congressional report in 2012, and it nearly went bankrupt when U.S. companies were almost banned from doing business with it in 2018 due to its violation of sanctions on Iran and North Korea.