The article is by
Jordan Robertson and Michael Riley who quote Joe Grand a hardware hacker and founder of Grand Idea Studio Inc who said: “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow. Hardware is just so far off the radar, it’s almost treated like black magic.”
Yet
the two authors claim:
But that’s just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies. One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.
Notice there is not a single identified source. All are anonymous. Yet the story is widely repeated as if it is true. The appended video by Bloomberg does not ask the journalist any critical questions about sources. Not a single source is available to confirm or deny the evidence presented.
Amazon's response
Bloomberg printed Amazon's response: "It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware." AWS is Amazon Web Services.
Bloomberg replies that the denials are countered by six current and former senior national security officers who in conversations that began in the Obama administration and continued under Trump gave details on the discovery of the chips and the government investigation. Bloomberg continued: "One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. .. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information."
Note that some of the information is said to be classified. In other words someone leaked classified information to the two reporters. Why? Was it to discredit China but also to make sure that the information could not be verified? There is all sorts of detail that makes the story sound credible but of course there is no way of checking the detail to see if it is correct, No doubt the Trump administration will not talk about the talks if they exist and would likely neither confirm or deny them to suggest that they are indeed taking place without actually committing to this being so.
Apple's response
Apple's statement also printed by Bloomberg: "Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple."
Bloomberg claims that three Apple insiders, four of the six US officials confirmed that Apple was a victim. In all 17 people confirmed the manipulation of Supermicro's hardware and other elements of the attack. Of course, the identities of all 17 people, including the three Bloomberg and four senior US officials are not revealed. Instead of giving any independent evidence Bloomberg simply repeats the narrative that the two companies deny.
SuperMicro
SuperMicro responded to the story: "While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue." Again the Bloomberg response is just to rely on their story and their sources which remain anonymous. There is no independent evidence that those sources are telling the truth. Imagine if SuperMicro's defence began by citing anonymous senior officials say that there was no investigation. We cannot say who they are because the information is too sensitive or classified,
The UK National Cyber Security Centre response
The Centre said that it had no reason to doubt the assessments made by Apple Inc. and Amazon Inc. a position that challenges the Bloomberg report that both companies had systems incorporating computer chips inserted by the Chinese intelligence services.
The Centre is a unit of Britain's eavesdropping agency GCHQ.
The Centre said:“We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple. The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us.”
So even a major fellow security agency knows nothing about this investigation even though it has been going on for years.
Bloomberg has not taken back anything that it has said as evidenced in the appended video. The report has no doubt harmed Apple and Amazon as well as making serious allegations against China that have no way of being confirmed. Was the article specifically designed to ensure that US companies will avoid Chinese hardware?
No comments:
Post a Comment