In its story, Bloomberg claimed security testing by Amazon in 2015 had revealed the existence of tiny chips that were not part of the original mainboard design and that this led to an extensive investigation by US Government agencies which found servers built using these boards in data centres belonging to the Department of Defence, on warships, and for processing data being handled by CIA drones.
The agency said that major banks were also using servers made by Supermicro and that the government investigation led to several companies getting rid of the Supermicro equipment.
Detailed denials by Amazon and Apple, two of the companies said to have been victims, were partly responsible, as were statements from the UK National Cyber Security Centre and the US Department of Homeland Security. A former Apple executive has also added to the doubts around the story.
Few, if any, "experts" considered the political implications of the Bloomberg claims and their timing. Of course, China was being put in the spotlight and many Western "experts" tend to have a somewhat blinkered view when it comes to this country. More on this later.
British security consultant Kevin Beaumont, who was among the early sceptics, pointed out in a tweet that Robertson and Riley had put out a story some years ago, claiming that the US Government had prior knowledge of the Heartbleed bug, a serious vulnerability in OpenSSL, before it was announced.
Worth noting same Bloomberg reporters put out a story a few years citing multiple sources that the US knew about Heartbleed. That story was flat out wrong. Bloomberg didn’t follow it up or comment. https://t.co/smdoHUs8kR— Kevin Beaumont (@GossiTheDog) October 5, 2018
He said, when the story was denied, Bloomberg did not issue any follow-up.
Other security researchers pointed out that Bloomberg had claimed three years ago that a pipeline explosion in Turkey was an early case of "cyber war", a somewhat dubious claim.
Cris "SpaceRogue" Thomas, a former member of the L0pht Heavy Industries hacking collective and now a researcher with Tenable Network Security, wrote, that while the explosion could be what the reporters in question claimed it to be, "without additional facts from someone other than an ‘unnamed source familiar with the incident who asked not to be identified” I will have my doubts. Until those facts are presented I’ll go back to reading my Microsoft Patch Tuesday reports".
[Thomas runs a project known as Cybersquirrel1, which he initiated in 2013, to debunk claims of cyber war coming from various sources.]
One of those who tried to capitalise on the claims made by Robertson and Riley and ended up having to retract his own claims, was Patrick Gray, an Australian who produces a weekly marketing podcast on security.
Gray appears to have been so excited by the Bloomberg claims that he put out a special issue of his podcast, which included the claim that one of his "sources" had found just such chips on a SuperMicro mainboard and had even showed him pictures that were said to be from a teardown of such a board.
"These photos showed an unlabelled integrated circuit the source said was likely a hardware back door. Further, the source said there were other problems with the SuperMicro gear, including vulnerable firmware and security functions that just didn’t work properly," Gray claimed.
But this so-called source, whom Gray said he had known for about 15 years, then changed his/her tune and said the photos were from different equipment. While retracting his claims, Gray did not mention if there were other such sensational bits of information he had been fed by the same source over the years and used in his podcasts.
US plans to retaliate by implanting tiny “chips” in all hardware sent to China according to 17 unnamed sources. pic.twitter.com/ovqChUm6EI— Brian Bartholomew (@Mao_Ware) October 6, 2018
Gray is not the first self-styled security expert to trip over something like this, in the rush to be first to propagate misinformation without proper checks.
Last year, Brian Krebs, a former employee of the Washington Post, quietly took down a story in which he used material from a Washington-based security firm known as InGuardians, claiming that a man of Russian origin was behind the leak of NSA exploits to a group known as the Shadow Brokers.
Krebs did not offer any explanation for removing the story. When iTWire quizzed him as to the reasons for his taking down the article, he did not provide a reply, indulging instead in personal slurs. Krebs' agenda in writing up the InGuardians "research" was questioned by well-known security blogger Marcy Wheeler.
And, finally, to the politics around the Bloomberg claims. Last year, when the US Government was hyping up the alleged Russian involvement in the 2016 presidential elections, three big newspapers — The New York Times, The Wall Street Journal and the Washington Post — tied the Russian security firm, Kaspersky Lab, to the Brokers.
The claims were taken at face value — even though there were numerous questions around them — and provided sufficient impetus for the US to push Kaspersky out of doing business with the public sector.
The Bloomberg claims come in the midst of a bid by the Trump administration to launch a trade war with China. Claims of sabotage in the supply chain would help to drive that narrative and provide a basis for government to act. I have yet to see any Western commentator raise this angle of the story.
So how did the Chinese contractor who supplied the alleged doctored mainboards ensure that they ended up at any particular company? Are we to believe that thousands of these servers were contacting a command-and-control server and all this activity went unnoticed by the NSA for so many years?
There are numerous other holes in the Bloomberg story. But let me leave it there and urge those who try to capitalise on such stories to adopt at least 10% of Beaumont's scepticism. The man would have made a fine journalist.