Another day goes by, another hacking claim is made, but this one just as daunting as the previous one put out by Bloomberg against Supermicro. The publication has reported that the network cards on-board of Supermicro motherboards were compromised and sent to "[a] major US Telecom" company that subsequently removed the affected devices in August. However, the report provides little else in terms of details. If true, this should be terrifying to any security professional. If false, heads could very well roll.
Initially, the claim was made by Yossi Appleboum, the co-chief executive officer from Sepio Systems in Gaithersburg, Maryland. His background in Israeli intelligence gives him some credibility, however, the claim he is making is up against some rather strongly-worded backlash from nearly everyone in the telecom industry.
The claim is that the network cards of servers a major US telecom company were infected and that this was just caught this last August. This attack is similar to the last attack outlined by Bloomberg insofar as that hardware is involved, but this would be piggybacking directly off of the network chipset, giving supposedly invisible access to the server in question. The alterations were apparently made at the factory, according to Appleboum.
“These devices are not part of our network, and we are not affected," AT&T spokesman Fletcher Cook said in response to the latest report. Sprint spokeswoman Lisa Belot followed up with "Sprint does not have Supermicro equipment deployed in our network," and a Verizon spokesman said, “we’re not affected.” The only odd-one-out was T-Mobile at the time of Bloomberg's publishing, which had not responded yet.
The outright and quick denials from these companies are odd, to say the least. Previously, Bloomberg's last claim of Supermicro boards having a chip embedded on their motherboards gives those in the security industry reason to worry. But at the same time, many of them also were befuddled as to why China needed to reinvent the wheel as hard and as expensively as this must have been.
This particular claim suggests that China is getting far more creative with its possible attack vectors, but the problem lies in the fact that this attack would be just as visible as any other attack as network traffic should and would have been monitored at any of these organizations with hawk-like diligence. Perhaps there could be some form of advanced encryption or something where the traffic appears to be valid. But these are Fortune 500 companies and none of them takes security lightly, so the fundamental suggestion is that they simply did not see this as happening up until August from some unknown start date seems to be spurious, to say the least. The details of this Bloomberg piece seem to be more logistically oriented rather than technical, making it even more questionable.
Appleboum's analysis points the finger at the location of the manufacturer, Guangzhou, which is just about 90 miles north of Shenzen also known as the "Chinese Silicon Valley of hardware." Logistically this does make sense, but the problem lies in the fact that there are so many ways to already get into a system. Why would China spend billions of dollars and years of time researching something that they could do in a dozen other different and likely highly successful manners?
This could also be another form of "interdiction," a practice where equipment is modified in transit, making it a far more plausible claim. Bloomberg isn't normally in the habit of publishing false stories, but at the same time, these sort of companies aren't normally in the business of such strongly-worded denials of claims. Stay tuned and we'll keep you informed on the validity of these claims and if anyone else comes forward with evidence.