Author Topic: Chinese Supply-Chain Attack on Computer Systems  (Read 528 times)

0 Members and 1 Guest are viewing this topic.

Offline al_infierno

  • Man-at-Arms
  • *****
  • Posts: 1682
  • Giudecca in the hell of unknowing
Chinese Supply-Chain Attack on Computer Systems
« on: February 22, 2021, 02:37:22 PM »
https://www.schneier.com/blog/archives/2021/02/chinese-supply-chain-attack-on-computer-systems.html

I used to work at Supermicro (worst work experience of my life) so I have to admit this news is rather amusing to me.  Loads of links in the article with further details for anyone interested.

Quote
Bloomberg News has a major story about the Chinese hacking computer motherboards made by Supermicro, Levono, and others. It’s been going on since at least 2008. The US government has known about it for almost as long, and has tried to keep the attack secret:

Quote
    China’s exploitation of products made by Supermicro, as the U.S. company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter. That included an FBI counterintelligence investigation that began around 2012, when agents started monitoring the communications of a small group of Supermicro workers, using warrants obtained under the Foreign Intelligence Surveillance Act, or FISA, according to five of the officials.

There’s lots of detail in the article, and I recommend that you read it through.

This is a follow on, with a lot more detail, to a story Bloomberg reported on in fall 2018. I didn’t believe the story back then, writing:

Quote
    I don’t think it’s real. Yes, it’s plausible. But first of all, if someone actually surreptitiously put malicious chips onto motherboards en masse, we would have seen a photo of the alleged chip already. And second, there are easier, more effective, and less obvious ways of adding backdoors to networking equipment.

I seem to have been wrong. From the current Bloomberg story:

Quote
    Mike Quinn, a cybersecurity executive who served in senior roles at Cisco Systems Inc. and Microsoft Corp., said he was briefed about added chips on Supermicro motherboards by officials from the U.S. Air Force. Quinn was working for a company that was a potential bidder for Air Force contracts, and the officials wanted to ensure that any work would not include Supermicro equipment, he said. Bloomberg agreed not to specify when Quinn received the briefing or identify the company he was working for at the time.

    “This wasn’t a case of a guy stealing a board and soldering a chip on in his hotel room; it was architected onto the final device,” Quinn said, recalling details provided by Air Force officials. The chip “was blended into the trace on a multilayered board,” he said.

    “The attackers knew how that board was designed so it would pass” quality assurance tests, Quinn said.

Supply-chain attacks are the flavor of the moment, it seems. But they’re serious, and very hard to defend against in our deeply international IT industry. (I have repeatedly called this an “insurmountable problem.”) Here’s me in 2018:

Quote
    Supply-chain security is an incredibly complex problem. US-only design and manufacturing isn’t an option; the tech world is far too internationally interdependent for that. We can’t trust anyone, yet we have no choice but to trust everyone. Our phones, computers, software and cloud systems are touched by citizens of dozens of different countries, any one of whom could subvert them at the demand of their government.

We need some fundamental security research here. I wrote this in 2019:

Quote
    The other solution is to build a secure system, even though any of its parts can be subverted. This is what the former Deputy Director of National Intelligence Sue Gordon meant in April when she said about 5G, “You have to presume a dirty network.” Or more precisely, can we solve this by building trustworthy systems out of untrustworthy parts?

    It sounds ridiculous on its face, but the Internet itself was a solution to a similar problem: a reliable network built out of unreliable parts. This was the result of decades of research. That research continues today, and it’s how we can have highly resilient distributed systems like Google’s network even though none of the individual components are particularly good. It’s also the philosophy behind much of the cybersecurity industry today: systems watching one another, looking for vulnerabilities and signs of attack.

It seems that supply-chain attacks are constantly in the news right now. That’s good. They’ve been a serious problem for a long time, and we need to take the threat seriously. For further reading, I strongly recommend this Atlantic Council report from last summer: “Breaking trust: Shades of crisis across an insecure software supply chain.“
It makes no difference what men think of war, said the judge.  War endures.  As well ask men what they think of stone.  War was always here.  Before man was, war waited for him.  The ultimate trade awaiting its ultimate practitioner.  That is the way it was and will be.  That way and not some other way.
- Cormac McCarthy, Blood Meridian


If they made nothing but WWII games, I'd be perfectly content.  Hypothetical matchups from alternate history 1980s, asymmetrical US-bashes-some-3rd world guerillas, or minor wars between Upper Bumblescum and outer Kaboomistan hold no appeal for me.
- Silent Disapproval Robot


I guess it's sort of nice that the word "tactical" seems to refer to some kind of seriousness during your moments of mental clarity.
- MengJiao

Offline Gusington

  • The Jewish Missile
  • Global Moderator
  • Tercio
  • *****
  • Posts: 46421
  • You must be at most 'this tall' to ride the Gus.
Re: Chinese Supply-Chain Attack on Computer Systems
« Reply #1 on: February 22, 2021, 02:48:36 PM »
Levono (from the article) = Lenovo?
"I'm not even dead and I'm rolling over in my grave."

- Toonces

Offline al_infierno

  • Man-at-Arms
  • *****
  • Posts: 1682
  • Giudecca in the hell of unknowing
Re: Chinese Supply-Chain Attack on Computer Systems
« Reply #2 on: February 22, 2021, 02:51:19 PM »
Lol.  I guess Mr. Schneier did not pass his copyediting classes.   :2funny:
It makes no difference what men think of war, said the judge.  War endures.  As well ask men what they think of stone.  War was always here.  Before man was, war waited for him.  The ultimate trade awaiting its ultimate practitioner.  That is the way it was and will be.  That way and not some other way.
- Cormac McCarthy, Blood Meridian


If they made nothing but WWII games, I'd be perfectly content.  Hypothetical matchups from alternate history 1980s, asymmetrical US-bashes-some-3rd world guerillas, or minor wars between Upper Bumblescum and outer Kaboomistan hold no appeal for me.
- Silent Disapproval Robot


I guess it's sort of nice that the word "tactical" seems to refer to some kind of seriousness during your moments of mental clarity.
- MengJiao

Offline Gusington

  • The Jewish Missile
  • Global Moderator
  • Tercio
  • *****
  • Posts: 46421
  • You must be at most 'this tall' to ride the Gus.
Re: Chinese Supply-Chain Attack on Computer Systems
« Reply #3 on: February 22, 2021, 03:12:27 PM »
For all I know there could be a 'Levono' computer company out there. But if he meant 'Lenovo' who knows what else is wrong. Not that the Chinese are not uber cyber warlords. But you know what I'm saying.
"I'm not even dead and I'm rolling over in my grave."

- Toonces

Offline Staggerwing

  • Blunderbuster
  • ****
  • Posts: 20903
  • "Today your love... tomorrow the World!"
Re: Chinese Supply-Chain Attack on Computer Systems
« Reply #4 on: February 22, 2021, 07:23:28 PM »
Wasn't there a similar incident with (IIRC) Linksys routers a decade or so ago?
Vituđ ér enn - eđa hvat?  -Voluspa

Nothing really rocks and nothing really rolls and nothing's ever worth the cost...

"Don't you look at me that way..." -the Abyss
 
'When searching for a meaningful embrace, sometimes my self respect took second place' -Iggy Pop, Cry for Love

... this will go down on your permanent record... -the Violent Femmes, 'Kiss Off'-

"I'm not just anyone, I'm not just anyone-
I got my time machine, got my 'electronic dream!"
-Sonic Reducer, -Dead Boys

Offline demjansk1942

  • Viking
  • ****
  • Posts: 346
Re: Chinese Supply-Chain Attack on Computer Systems
« Reply #5 on: February 23, 2021, 03:32:30 AM »
What a friendly country

Offline Sir Slash

  • Arquebusier
  • ***
  • Posts: 13051
  • Co Butt-Kicker-For-Goodness of Minsc and Boo
Re: Chinese Supply-Chain Attack on Computer Systems
« Reply #6 on: February 23, 2021, 09:24:54 AM »
 :2funny:  And no threat at all that they'll, 'Eat our Lunch'.
"Take a look at that". Sgt. Wilkerson-- CMBN. His last words after spotting a German tank on the other side of a hedgerow.