A large U.S. telecommunications company discovered tampered-with hardware in its network and removed it in August, offering fresh evidence of Chinese fingers in technology components bound for the U.S., according to a security expert working for the telecommunications company.
The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery after the publication of an investigative article in Bloomberg Businessweek that detailed how China's intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period that ended in 2015.
Appleboum previously worked in the technology unit of Israeli army intelligence and is now co-chief executive officer of Sepio Systems in Gaithersburg, Md. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company.
Bloomberg is not identifying the company because of Appleboum's nondisclosure agreement with the client.
Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server's Ethernet connector that's used to attach network cables to the computer, Appleboum said. The executive said he has seen similar manipulations of different vendors' computer hardware made by contractors in China, not just products from Supermicro.
"Supermicro is a victim -- so is everyone else," he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and discovering them can in many cases be impossible.
"That's the problem with the Chinese supply chain," he said.
Supermicro, based in San Jose, Calif., gave this statement: "The security of our customers and the integrity of our products are core to our business and our company values. We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry. We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found. We are dismayed that Bloomberg [News] would give us only limited information, no documentation, and half a day to respond to these new allegations."
Bloomberg News first contacted Supermicro for comment on this article Monday morning.
Supermicro said after the earlier story that it "strongly refutes" reports that servers it sold to customers contained malicious microchips. China's Embassy in Washington did not return a request for comment Monday.
In response to the earlier Bloomberg Businessweek investigation, China's Foreign Affairs Ministry didn't directly address questions about the manipulation of Supermicro servers but said supply chain security is "an issue of common concern, and China is also a victim."
Supermicro shares fell 41 percent Thursday, the most since it became a public company in 2007, after the Bloomberg Businessweek revelations about the hacked servers. Shares fell 15 percent Tuesday.
The more recent manipulation is different from the one described in the Bloomberg Businessweek report last week, but it shares key characteristics: They're both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China.
Based on his inspection of the device, Appleboum determined that the telecommunications company's server was modified at the factory. He said he was told by Western intelligence contacts that the device was made at a Supermicro subcontractor factory in Guangzhou, a port city in southeastern China. Guangzhou is 90 miles upstream from Shenzhen, dubbed the "Silicon Valley of Hardware," and home to giants such as Tencent Holdings Ltd. and Huawei Technologies Co. Ltd.
The tampered-with hardware was found in a facility that had large numbers of Supermicro servers, and the telecommunication company's technicians couldn't answer what kind of data was pulsing through the infected one, said Appleboum, who accompanied them for a visual inspection of the machine.
It's not clear if the telecommunications company contacted the FBI about the discovery. An FBI spokesman declined to comment on whether it was aware of the finding.
"These devices are not part of our network, and we are not affected," AT&T Inc. spokesman Fletcher Cook said. Verizon Communications Inc. had no immediate comment on whether the malicious component was found in one of its servers.
A Sprint spokesman said the company does not have Supermicro equipment deployed in its network. T-Mobile U.S. Inc. didn't respond to requests for comment.
U.S. communications networks are an important target of foreign intelligence agencies, because data from millions of mobile phones, computers, and other devices pass through their systems. Hardware implants are key tools used to create covert openings into those networks, perform reconnaissance and hunt for corporate intellectual property or government secrets.
The manipulation of the Ethernet connector appeared to be similar to a method used by the U.S. National Security Agency, details of which were leaked in 2013. In emails, Appleboum and his team refer to the implant as their "old friend," because he said they had previously seen several variations in investigations of hardware made by other companies manufacturing in China.
In Bloomberg Businessweek's report, one official said investigators found that the Chinese infiltration through Supermicro reached almost 30 companies, including Amazon.com Inc. and Apple Inc. Both Amazon and Apple also disputed the findings. The U.S. Department of Homeland Security said it has "no reason to doubt" the companies' denials of Bloomberg Businessweek's reporting.
People familiar with the federal investigation into the 2014-15 attacks say it is being led by the FBI's cyber and counterintelligence teams, and that the Department of Homeland Security may not have been involved. Counterintelligence investigations are among the FBI's most closely held, and few officials and agencies outside of those units are briefed on the existence of those investigations.
Appleboum said he's consulted with intelligence agencies outside the U.S. that have told him they've been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time.
Three security experts who have analyzed foreign hardware implants for the U.S. Department of Defense confirmed that the way Sepio's software detected the implant is sound. One of the few ways to identify suspicious hardware is by looking at the lowest levels of network traffic. Those include not only normal network transmissions, but also analog signals -- such as power consumption -- that can indicate the presence of a covert piece of hardware.
The goal of hardware implants is to establish a covert staging area within sensitive networks, and that's what Appleboum and his team concluded in this case. They decided it represented a serious security breach, along with multiple rogue electronics also detected on the network, and alerted the client's security team in August, which then removed them for analysis. Once the implant was identified and the server removed, Sepio's team was not able to perform further analysis on the chip.
The threat from hardware implants "is very real," said Sean Kanuck, who until 2016 was the top cyberofficial inside the office of the Director of National Intelligence. He's now director of future conflict and cybersecurity for the International Institute for Strategic Studies in Washington. Hardware implants can give attackers power that software attacks don't.
"Manufacturers that overlook this concern are ignoring a potentially serious problem," Kanuck said. "Capable cyberactors -- like the Chinese intelligence and security services -- can access the IT supply chain at multiple points to create advanced and persistent subversions."
Information for this article was contributed by Scott Moritz of Bloomberg News.
A Section on 10/10/2018