Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Super Micro Trojan: US and UK Back Apple and Amazon Denials

Government Agencies Have 'No Reason to Doubt' Supply Chain Tampering Refutation
Super Micro Trojan: US and UK Back Apple and Amazon Denials

U.S. and U.K. government agencies have said they have "no reason to doubt" strong denials issued by Amazon and Apple that hardware hackers had successfully trojanized servers used by the companies, providing a backdoor for Chinese spies (see Report: Chinese Spy Chip Backdoored US Defense, Tech Firms).

See Also: The Healthcare CISO’s Guide to Medical IoT Security

"We are aware of the media reports, but at this stage have no reason to doubt the detailed assessments made by AWS [Amazon Web Services] and Apple," the U.K.'s National Cyber Security Center says in a statement issued Friday. "The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us."

Referencing the statement from NCSC, which is part of the U.K.'s GCHQ signal intelligence agency, the U.S. Department of Homeland Security on Saturday issued a similarly worded reaction. "The Department of Homeland Security is aware of the media reports of a technology supply chain compromise," it says. "Like our partners in the U.K., the National Cyber Security Center, at this time we have no reason to doubt the statements from the companies named in the story."

The story in question was an explosive report published on Thursday by Bloomberg describing an espionage operation that planted a tiny spying chip on widely distributed server motherboards supplied to Apple, Amazon, the U.S. Department of Defense and dozens of other organizations.

The alleged chip was reportedly planted in motherboards manufactured in Asia by U.S.-based Super Micro - aka Supermicro - one of the world's largest hardware component manufacturers. The motherboards were then allegedly installed in servers sold to Apple and Amazon, as well as in servers made for Elemental Technologies, which Amazon acquired in 2015.

Apple and Amazon, issued unusually strong statements that deny many aspects of Bloomberg's reporting.

Because both are publicly traded companies, their public statements are subject to U.S. Securities and Exchange Commission regulations.

Strong Denials

"Apple has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server," the company says, noting that it has never been in contact with the FBI or any other U.S. government agency about the incident that is alleged in the Bloomberg report. "We are not under any kind of gag order or other confidentiality obligations."

"We tried to figure out if there was anything, anything, that transpired that's even remotely close to this," an unnamed senior Apple security executive told Buzzfeed News. "We found nothing."

In a letter to the Senate and House commerce committees, George Stathakopoulos, Apple's vice president for information security, said the firm had repeatedly looked for signs of the attacks alleged in the Bloomberg report. "Apple's proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity," he wrote in his letter, a copy of which was seen by Reuters. "Nothing was ever found."

Amazon CISO Steve Schmidt has also dismissed the Bloomberg report, which claimed that the alleged incident compromised Amazon Web Services. "At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Super Micro motherboards in any Elemental or Amazon systems," he says. "Nor have we engaged in an investigation with the government."

Both Elemental and Super Micro have also strongly denied the Bloomberg report. Super Micro said that it "strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems."

'Echoes an Actual Story'?

Network security expert Peiter Zatko - better known as Mudge - says via Twitter that it's likely that the Bloomberg report "echoes an actual story" but doesn't get all of the details correct.

"Some hardware persons interviewed are not knowledgeable on implant work," he said. In addition, he notes that there are "many operational issues" using "non-directed HW [hardware] backdoors at scale as described [in the report]."

The information security researcher known as SwiftOnSecurity suggests that it's possible that, as in a game of telephone, the retelling of the story has degraded some of the facts

Technical Details

While the Bloomberg report is short on technical details, many security experts say that whether or not this attack occurred, or occurred as alleged, it appears at least to have been technically feasible. As a result, they're warning organizations to ensure they have the right defenses in place, as Apple says it does.

"In essence, this story seems to pass the sniff test," says Theo Markettos, who is on the security team at Cambridge University's Computer Lab.

"It is technically plausible," Jake Williams, a former member of the U.S. National Security Agency's hacking unit who now runs security consultancy Rendition Infosec in Augusta, Georgia, said in a Thursday web conference, the Register reports. "If I wanted to do this, this is how I'd do it."

London-based information security expert Nick Hutton says organizations should actively defend against attackers who are able to subvert hardware BIOS, or a baseboard management controller or microcontroller.

"Such enclaves make ideal hiding places for badness, whether added hardware is involved or not," Hutton says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.