Bloomberg Wants You To Believe in its Mythical Supermicro Spy Chips
Remember when Bloomberg claimed that motherboard supplier Supermicro (NASDAQ:SMCI) had Trojan Horse clandestine chips from China planted on its boards that made their way into the servers of some of the world’s top technology companies? Remember when the company’s stock crashed, a Congressional inquiry was called, and then nothing happened? Well, Bloomberg is doubling down on that story and has brought it back with new,
Bloomberg says that its new reporting on Supermicro, which doesn’t make many new material claims aside from that the semiconductor subterfuge was at a scale not originally captured by its prior article, and the FBI was actively running a counterintelligence probe on the company, is verified by “more than 50 people from law enforcement, the military, Congress, intelligence agencies and the private sector.”
But the only ones that would put their names to the interview are those that have been “briefed” on the topic. They don’t have first-hand knowledge.
“In early 2018, two security companies that I advise were briefed by the FBI’s counterintelligence division investigating this discovery of added malicious chips on Supermicro’s motherboards,” said Mike Janke, a former Navy SEAL who co-founded DataTribe, a venture capital firm. “These two companies were subsequently involved in the government investigation, where they used advanced hardware forensics on the actual tampered Supermicro boards to validate the existence of the added malicious chips” […]
“This was espionage on the board itself,” said Mukul Kumar, who said he received one such warning during an unclassified briefing in 2015 when he was the chief security officer for Altera Corp., a chip designer in San Jose. “There was a chip on the board that was not supposed to be there that was calling home—not to Supermicro but to China” […[
Mike Quinn, a cybersecurity executive who served in senior roles at Cisco Systems Inc. and Microsoft Corp., said he was briefed about added chips on Supermicro motherboards by officials from the U.S. Air Force. Quinn was working for a company that was a potential bidder for Air Force contracts, and the officials wanted to ensure that any work would not include Supermicro equipment, he said.
The story also alleges that there are technical similarities to the SolarWinds attack, which had been noticed by Intel. Intel, as the story goes, had briefed Supermicro on this and ultimately the issue was patched.
tl;dr is a source misunderstood an FBI defensive briefing on China's supply chain activities, leaked it to the press, and bloomberg has *again* failed to do the work necessary to verify the sensational claims, because they mistake impressive credentials with domain expertise.
— Pwn All The Things (@pwnallthethings) February 12, 2021
For its part, Supermicro once again denies the entirety of the Bloomberg story calling it a “mishmash of disparate and inaccurate allegations that date back many years. It draws farfetched conclusions that once again don’t withstand scrutiny.”
It also denies it has been in contact with any US government agencies about an investigation, and it also denies that its customers have contacted it about ongoing government investigations.
Only comment I plan to make on the Bloomberg SuperMicro story part 2:
- it’s an insanely sensational claim
- no evidence has ever been presented
- the specific journalists have routinely shown they struggle on technical details
- the burden of proof is on the journalists
— Robert M. Lee (@RobertMLee) February 12, 2021
When Bloomberg first ran the story it was widely criticized for conflating a very real theoretical risk with a practical attack. Bloomberg has yet to provide any material evidence or corroboration, and one of the key sources for their original story, hardware security expert Joe Fitzpatrick, went on the record to say that the story Bloomberg ran, in the end, didn’t make any sense.
“What really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at black hat two years ago worked,” he said on the Risky Business podcast. “It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100% of what I described was confirmed by sources.”
Upon market open Supermicro stock dropped by 5% but minutes later began recovering as the market dismissed the story.