Security Market Segment LS
Saturday, 13 February 2021 10:25

After more than two years, Bloomberg revives tale of doctored Supermicro hardware Featured

By
After more than two years, Bloomberg revives tale of doctored Supermicro hardware Image by tookapic from Pixabay

Claims that servers, built by US company Super Micro Computer — known as Supermicro — have been tampered with and found to be sending data to China for many years, have been aired again by the news agency Bloomberg, more than two years after it made similar claims that were short on proof.

While the 2018 story claimed that these servers had been supplied to well-known companies like Apple and Amazon, this time the claims, made by the same two reporters, Jordan Robertson and Michael Riley, are that the tampering was in servers supplied to government agencies in the main.

There are two things in common to the allegations made: China and Super Micro Computer, a computer hardware maker in San Jose, California. If Robertson and Jordan are to be believed, then American law enforcement authorities have been investigating these incidents from 2010 onwards, but have maintained a studious silence.

As Bloomberg put it, all the instances "shared one other trait; US spymasters discovered the manipulations, but kept them largely secret as they tried to counter each one and learn more about China’s capabilities".

As iTWire reported last time Bloomberg made similar claims, the company has a practice of paying those higher annual bonuses to those who write stories that move markets, as this story may well do.

This time, a couple of sources are named, but they speak in generalisations, rather than specifics. For instance, Jay Tabb, a former executive assistant director of the FBI’s national security branch from 2018 to January 2020, was quoted as saying:

"Supermicro is the perfect illustration of how susceptible American companies are to potential nefarious tampering of any products they choose to have manufactured in China. It’s an example of the worst-case scenario if you don’t have complete supervision over where your devices are manufactured.”

But at the same time, Bloomberg wrote that neither Supermicro nor its employees had even been accused of wrongful acts and the anonymous officials who were cited as sources said the company had not been targeted in any counter-intelligence investigation.

Supermicro's response to the story got little airtime, with a link provided to the whole reply. It says: "Bloomberg’s story, as they have characterised it to us, is a mish-mash of disparate and inaccurate allegations that date back many years. It draws far-fetched conclusions that once again don’t withstand scrutiny.

"Despite Bloomberg’s allegations about supposed cyber or national security investigations that date back 10 years, Supermicro has never been contacted by the US Government, or by any of our partners or customers, about these alleged investigations.

"Bloomberg has produced no conclusions from these alleged investigations. Nor could Bloomberg confirm to us if any alleged investigation was even ongoing.

"To the contrary, several of the US Government agencies Bloomberg claims had initiated investigations continue to use our products and have done so for years.

"Bloomberg continues to attempt to revive its false and widely discredited 2018 story. In response to those allegations, we have never found any malicious chips, even after engaging a third-party security firm to conduct an independent investigation on our products.

"Nor have we been informed by any customer or government agency that such chips have ever been found. In 2018, several public and private sector officials rebutted the story on the record."

The two reporters claim to have spoken to 50 people from law enforcement, the military, Congress, intelligence agencies and the private sector for the new story but "most asked not to be named in order to share sensitive information. Some details were confirmed in corporate documents Bloomberg News reviewed".

Often the claims are second- and third-hand. For example, Mike Janke, a former Navy SEAL who co-founded DataTribe, a venture capital firm, spoke of personnel from two companies he advises telling him of being briefed by FBI staff who were investigating the addition of chips to Supermicro mainboards.

A few years ago, Robertson and Riley put out a story, claiming that the US Government had prior knowledge of the Heartbleed bug, a serious vulnerability in OpenSSL, before it was announced. Bloomberg did not issue a follow-up after the story was denied.

Supermicro was founded by a Taiwanese immigrant to the US, Charles Liang. Most of the company's hardware is made in China – as is the case with most technology companies in the US.

The Bloomberg report also claims that laptops made by Lenovo and being used by US troops that invaded Iraq had altered hardware, information that was taken from a court document.

But the company was not told about this, with spokeswoman Charlotte West telling Robertson and Riley that US officials had investigated Lenovo's background and trustworthiness while a review was being conducted in 2014 when Lenovo wanted to acquire businesses owned by IBM and Google. Both acquisitions were waved through.

Anonymous officials were again cited in an alleged case of Supermicro servers exhibiting unusual behaviour in Pentagon networks. "Investigators attributed the rogue code to China’s intelligence agencies, the officials said. A former senior Pentagon official said there was 'no ambiguity' in that attribution," the report said.

But again, this was kept quiet because the US wanted to find out why this spying was done. This nugget of information was attributed to three officials who said the NSA director at the time, Keith Alexander, was chiefly responsible for the decision to stay quiet. When a spokesman for Alexander was approached, he referred the questions to the NSA which, as it normally does, refused to confirm anything.

The code that was causing issues in the Pentagon case was identified as being part of the BIOS, which anonymous officials, who were briefed about the findings, said had been determined as being put in there by Supermicro personnel.

The report says that in 2014, malicious chips were found on Supermicro motherboards, with the information again credited to officials who were briefed between 2014 and 2017.

"It remains unclear how many companies were affected by the added-chip attack. Bloomberg’s 2018 story cited one official who put the number at almost 30, but no customer has acknowledged finding malicious chips on Supermicro motherboards," Robertson and Riley wrote.

The report also claimed that a security breach in Intel's networks was through a firmware updated downloaded from Supermicro's website. An Intel spokeswoman said the incident was detected early and caused no data loss.


Subscribe to ITWIRE UPDATE Newsletter here

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinatrs and campaigns and assassistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments