Report: Supermicro servers compromised by Chinese hardware backdoors

Unless you're reading this website by pure happenstance, it's pretty likely that you're familiar with the Supermicro name. You may have ordered some of the company's server hardware at some point, in fact. If you're even mildly concerned with data security, you may want to step on over to Bloomberg and read the site's latest feature article. The publication claims it has testimony from many sources, including "six current and former national security officials" plus insiders at Amazon and Apple, asserting that a massive US government investigation is ongoing regarding hardware backdoors installed in some Supermicro server motherboards used by as many as 30 U.S. companies.

The purported problem is that some Supermicro machines have rogue miniature onboard components that mimic signal conditioning couplers. Despite their diminutiveness and appearance, these components appear to be malicious micro-controllers that can manipulate data going to or from system memory. Bloomberg claims the chips were installed at the time of manufacturing. Given their positioning and capabilities, these chips could steal data or give attackers access to completely indefensible backdoors into affected systems. The chips were supposedly installed by agents of China's People's Liberation Army and apparently located during a security audit of servers sold by Elemental.

It's important to note that according to Bloomberg, all three companies mentioned in the article (Supermicro, Apple, and Amazon) have flatly denied these remarks. China's Ministry of Foreign Affairs reportedly said the story is nonsense, too. Even still, a lot of the details seem to line up, and Supermicro's stock is down by almost 50% today. If there's even a shard of truth to the tale, then the implications are fairly terrifying. You might take a moment this evening to hit the news agency's site and read the article in full. Let us know what you think of the allegations in the comments .

Comments closed
    • BIF
    • 11 months ago

    I have one question. Where’s the chip?

    Don’t just show us a Getty’s pic of somebody’s index finger holding a resistor. That’s just a file photo that has nothing to do with the actual issue.

    Show us some of the motherboards that supposedly have this modification.

    I don’t find Bloomberg to be the paragon of virtue and truth. They’re just as bad as all the others. Without proof, this is just more fake news from a fake news organization.

    Where is the Tech Report Investigative analysis on this? Why are we just repeating news from questionable sources?

      • Krogoth
      • 11 months ago

      There are pictures floating that allegedly show a tiny chip embedded within the PCB itself. It is easy to miss unless you know where to exactly look.

      It is a typical bugging job. Trying to hide something in “relative” plain sight.

      • liquidsquid
      • 11 months ago

      The thing is, as part of the vetting process of receiving hardware, it to compare it against “golden” units visually, as well as against the original CAD documents. To have this missed by so many diminishes the chances of this being a legitimate story. I still call bullshiz.

        • BIF
        • 11 months ago

        Thank you.

      • dragontamer5788
      • 11 months ago

      [quote<]Don't just show us a Getty's pic of somebody's index finger holding a resistor[/quote<] That's actually a capacitor ([url=https://www.digikey.com/product-detail/en/avx-corporation/W4L14Z104MAT1S/478-6615-2-ND/2647911<]probably something like this, which measures 0.03 inches x 0.06 inches[/url<]) But... yes. Its a small, passive component. I don't believe something like that could be used for what is being alleged here. While a signal-conditioning capacitor has 8-leads, they only "really" have 2-leads for the two sides of the capacitor (just like in high-school: + and - side. Capacitors only have two leads, remember?). They have 8-leads to minimize inductance, but 4-of-them go to the same wire, and the other 4 go to the 2nd wire. By alternating + and - wires across the capacitor, inductance and resistances drop dramatically, (remember that parallel-paths decrease resistance. Ditto for inductance). In the real world: micro-ohms (very small Resistances) and pico-Henries (very small Inductances) can lead to dramatically different performance characteristics, especially when a 3GHz clock (0.33 nanoseconds per tick) exists somewhere on your circuit. For one, capacitors go on unconditioned signal traces: you put them in those locations to get rid of noise and such. So any "logic" you try to do on those kinds of lines would be incredibly noisy and likely not work at all. I'd like more details from a technical perspective. There are just so many questions in my mind... how could something like this even work if its allegedly replacing a signal-conditioning chip? I'm not necessarily doubting the report, but the article is unfortunately light on any real details. So you'd have to change the PCB board to even replace a signal conditioning chip. So my bet is that Bloomberg is just dead wrong on the "signal conditioning couplers" claim. Because signal-conditioning couplers only have 2 "real" leads (despite being 6-pin or 8-pins).

    • Waco
    • 11 months ago

    This is a minor niggle…but it’s “Super Micro Computer, Inc” these days. They changed the company name a couple years back.

    Also, there needs to be a lot more detail before people panic. Rogue BMCs aren’t *that* much of a problem with proper controls in place. There’s a very good reason most organizations disallow logging in via password over BMC interfaces.

    • liquidsquid
    • 11 months ago

    Honestly, I call Bullshiz. I would think the simpler story is our current administration stoking fears of doing business in China in an effort to get manufacturing to move back here to the US. After all, this was a major platform of this administration, and we have not seen them play Mr. Nice guy to the rest of the world.

      • K-L-Waster
      • 11 months ago

      Wouldn’t a foreign owned mobo maker be a more appropriate target in that case?

        • liquidsquid
        • 11 months ago

        Yes.

        All you have to do is stoke a little paranoia in a broadly-reaching story involving hand-waving and doughnut shops, even if the story is discredited, and it will become a huge issue. Folks scared about security will look into a secure supply chain which will mean keeping all production on-shore where it can be netter qualified.

        Of note, a big concern with manufacturing is getting genuine parts. Many times on the gray market, counterfeit parts are accidentally purchased for quick-turn designs. They are impossible to detect without X-ray.

          • NovusBogus
          • 11 months ago

          Counterfeits, you say? FTDI has a solution for that. 🙂

          Hardware provenance is definitely going to become a big deal in the coming years.

      • NovusBogus
      • 11 months ago

      While it could be fake news, and certainly has enough salaciousness and reliance on anonymous sources to qualify, I highly doubt that Bloomberg would be one to do it given Michael Bloomberg’s known antipathy toward the Trump administration.

      In any case, it should be fairly easy for some third party security analysts to get their hands on these boards and find out for themselves.

        • designerfx
        • 11 months ago

        This would be drastically different if it wasn’t bloomberg and apple + amazon denying it. The answer is simple: either one side is lying or both are correct in some way (apple + amazon never knew about it, for example)

    • Chrispy_
    • 11 months ago

    This is just the tip of the iceberg, I suspect.

    If a Chinese military division designed this and infiltrated one of SuperMicro’s suppliers, You’d need to be ridiculously naive to think that Supermicro is the only affected company.

    Practically all electronics in every server globally are manufactured in China with the same risk of miltary infiltration. Huawei and ZTE have previously been found to contain hardware backdoors.

    I’m just trusting my firewall rules for now, and waiting to see how big this scandal turns out to be. Chances are it’s like the VW emissions scandal – in that it’s actually a huge number of manufacturers involved, and Supermicro are just today’s scapegoat.

      • Krogoth
      • 11 months ago

      This is nothing new.

      Any intelligence agency worth its weight in salt has been doing similar shenanigans to each other since the 1980s. The only difference here is that it appears that Chinese are doing at it factory itself instead of doing at somewhere along the distribution channels (Knowing that affected product will certainly reach a desired target).

        • blastdoor
        • 11 months ago

        My interpretation of how the CIA has behaved over the last 30 to 40 years is that they act to punish or contain malevolent behavior by others — they do not initiate malevolent action to hurt innocents in order to advantage the US. In other words, countries that play by the rule and don’t hurt us will not be hurt by us.

        For example, I’ve read that the CIA used to create fake plans for the Soviets to steal, resulting in all sorts of failures of equipment, both military and civilian. The thing about that, though, is that the Soviets would have been just fine if they didn’t steal the plans. Then there’s the sabotage against the Iranian nuclear weapons development effort, but again — if the Iranians hadn’t been trying to develop nuclear weapons, they would have been just fine.

        It seems that what the Chinese are doing is different.

          • Amiga500+
          • 11 months ago

          Are you for real? If you truly believe that, you **need** to find other sources of information.

          One only needs to look at Gulf 2 to know the CIA invented all sorts of “intelligence” so that Dubya could finish daddy’s war (oh, and get the rest of his cabinet hideously rich on the back of fleecing the US taxpayer).

          You mention Iran. Did you know Iran had a secular democratically elected government and was a pillar of stability in the region before the Shah? (That is the same Shah that the CIA and MI6 installed in a coup. Albeit, that is outside your 40 year time limit.)

          But, what about Yemen going on right now?

          Haiti in the mid-90s too.

            • blastdoor
            • 11 months ago

            I disagreed with Gulf War 2, but Saddam Hussein was not an innocent guy — he was a malevolent dictator. Also, the fault there primarily rests with Bush and Cheney, not the CIA.

            Yes, I agree installing the Shah was a mistake, and there’s a reason I picked the 40 year time limit.

            I don’t think Yemen is a straightforward case at all.

            If the CIA were to behave analogously to the Chinese, then in the 1980s the CIA would have been spying on Japanese automakers in order to help American automakers, they would have been sabotaging Japanese and Korean memory producers to aid American memory producers, etc.

            While the CIA has definitely made mistakes — sometimes big mistakes — they have generally been focused on protecting the US from bad actors, not on committing petty theft and sabotage to help American companies make money. Certainly the current administration might want to change that, but it would appear that the intelligence community has actually been working hard to contain/thwart the worst aspects of this administration, to the extent that they can do that without actually launching a coup.

            • rika13
            • 11 months ago

            Actually, the CIA didn’t need to invent anything. They were just not fooled by Saddam’s “I won’t let you check my palaces for chemical weapons production.” scheme to make the UN think there was stuff there, only for it to be sneaked out to Syria.

          • psuedonymous
          • 11 months ago

          [quote<]My interpretation of how the CIA has behaved over the last 30 to 40 years is that they act to punish or contain malevolent behavior by others -- they do not initiate malevolent action to hurt innocents in order to advantage the US. [/quote<] Even if you put an arbitrary limit of 40 years that still encompasses the Iran-Contra affair and plenty of other CIA dodgy dealings. And the several $billion of arms trafficked to Afghanistan (gotta stop them reds at all cost etc) taking the powder keg in that region and just pouring high explosives all over it while enthusiastically chucking matches.

        • BurntMyBacon
        • 11 months ago

        IIRC, Russia was hollowing out the impact bar and adding memory elements in typewriters to record what was being typed back in the 70s.

    • Klimax
    • 12 months ago

    Say hello to “The Bear and the Dragon” by certain Tom Clancy, only this time it is China on USA…

      • Usacomp2k3
      • 11 months ago

      May he RIP.

    • Wirko
    • 12 months ago

    You don’t just “add” a chip to a board that’s not designed to take it.

    • ronch
    • 12 months ago

    The representatives from Supermicro, Apple and Amazon who were questioned likely don’t even have a clue about any of this. Only a small, select group of people within their companies probably know about it. Does anyone really think everyone in the company would be privy to such secrets? And *even if* the company brass is stupid enough to let everyone in the company know, would they actually admit it?

    These denials are useless.

    • moose17145
    • 12 months ago

    The entire western world allowed ALL of their computer manufacturing to end up in a nation state we/they are effectively on rocky terms with at the best of times… and now we are supposed to pretend to be surprised when something like this happens?

    Is anyone else having a hard time even pretending to be shocked by this?

      • NovusBogus
      • 12 months ago

      Pretty much…assuming it’s true, the PLA itself is pretty far down the list of who I’m gonna blame for this.

      • ronch
      • 12 months ago

      Plot twist: American tech companies go to Russia for manufacturing.

    • Vaughn
    • 12 months ago

    Hmm time to buy stock in Supermicro 🙂

      • BurntMyBacon
      • 11 months ago

      Definitely some good short term gains to be had when people realize that their competitors also manufacture boards in China and they recover some of their value.

    • DancinJack
    • 12 months ago

    Considering the statements by Apple and Amazon, I have a VERY hard time believing this is true unless they are just completely clueless. They’d be facing some very, very serious ethics/legal/shareholder action if they knowingly put out false statements. I just don’t see that happening.

    • confusedpenguin
    • 12 months ago

    I knew this was happening, but I was called a conspiracy theorist. Don’t think Chinese companies are the only ones who factory install backdoors. I also find is unsettling that the NSA has contributed code to the Linux Kernel. Every government, both domestic and foreign, wants a secret backdoor into everything, and sadly governments often get their wish. Keep in mind that whenever you use an electronic device, you are giving up your privacy. Some of this kind of hardware tampering would make using a VPN not 100 percent secure.

      • shank15217
      • 11 months ago

      The Linux kernel is wide open. Go find me that secret back door the NSA planted, you will get millions.

      • DancinJack
      • 11 months ago

      you’re a conspiracy theorist, bro

    • cygnus1
    • 12 months ago

    These guys have a pretty solid take on the possibilities and ramifications here:

    [url<]https://www.servethehome.com/bloomberg-reports-china-infiltrated-the-supermicro-supply-chain-we-investigate/[/url<] Tl;dr - it's most likely the chip is actually only attached to the BMC. Which means that this is really no more significant than the software based hacks of the Dell and other big name BMC's. Also, with how vehemently Apple and Amazon are saying Bloombergs info is false instead of "No Comment", it's probably all horseshit and the SEC likely needs to get involved to see who's sold off or shorted Supermicro shares recently.

    • Kougar
    • 12 months ago

    Starting to look look more like bogus reporting by Bloomberg. Every company mentioned in the article Supermicro, Apple, Amazon and especially Elemental itself are refuting it.

    • ermo
    • 12 months ago

    Imagine if the roles were switched around: A US intelligence agency installing backdoors into hardware being sold in China.

    Would that have US citizens up in arms? I somehow doubt it.

    It seems to me that many people only *really* wake up to the consequences of pervasive spying and intelligence gathering when they experience what it feels like to be on the side that has its expectations of privacy violated.

      • Shobai
      • 12 months ago

      What, like Intel’s Management Engine, etc? [Edit: I can’t recall the name for AMD’s equivalent, which uses Arm’s TrustZone IIRC].

      It’s really no surprise that the Chinese are moving as fast as they can on locally designed CPU options.

      • derFunkenstein
      • 12 months ago

      that’s how the spy game works. It’s fine for you. Not fine for anybody else. Nothing new to see here.

      • benedict
      • 12 months ago

      Haven’t you read the Snowden articles. USA have been doing this since forever. They are making a big fuss out of it because they think they should have a monopoly on internet spying.

      • brucethemoose
      • 12 months ago

      With hard proof, they would get in trouble. This isn’t a one party state like China, there are circling sharks just waiting to take the moral high ground against whoever is responsible.

      • mikewinddale
      • 12 months ago

      The NSA *has* been installing backdoors on exported US routers:

      [url<]https://www.theguardian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden[/url<] [url<]https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/[/url<] [url<]https://www.theregister.co.uk/2015/03/18/want_to_dodge_nsa_supply_chain_taps_ask_cisco_for_a_dead_drop/[/url<]

      • maxxcool
      • 12 months ago

      We were/are up in arms .. this HAS been done to US and foreign citizens and was documented out of that fiasco with the TAO team..

      [url<]https://www.aclu.org/sites/default/files/assets/tailored_access_operations.pdf[/url<]

    • K-L-Waster
    • 12 months ago

    Assuming it’s true (and I’m inclined to believe it is), what are the alternatives?

    Or to put it another way, backdoors have been found in SuperMicro boards — but can we be sure that *only* SuperMicro is affected?

    Or is it going turn into another story like DieselGate, where at first it was just VW but then it turned out other companies were doing the same thing?

      • Thrashdog
      • 12 months ago

      I wouldn’t trust boards already in place, but there is bound to be lots of independent research and investigation that will turn up the presence and/or absence of these devices in many of the most popular server boards. In the meantime, I would suspect that isolating your IPMI interfaces from the Internet, blocking outbound connections to Chinese IPs at your gateway, and reflashing/reinstalling everything back to known-clean images is about as much as can be done.

        • just brew it!
        • 12 months ago

        [quote<]blocking outbound connections to Chinese IPs at your gateway[/quote<] What makes you so sure all of their C&C servers are in China? You can get cheap VPSes all over the place.

          • derFunkenstein
          • 12 months ago

          that’s why I’ve ever understood geographical IP address restrictions on websites.

            • Captain Ned
            • 12 months ago

            ever??

            • derFunkenstein
            • 12 months ago

            Err… Never

            • ludi
            • 12 months ago

            On the flipside, our company’s previous owner had a security policy called “deny-ru” on the firewall, but that was mainly because we didn’t have any business ops in Russia and they viewed a .ru domain as the fastest possible way to get a malware infection.

            • Redocbew
            • 12 months ago

            Yeah, restrictions are lame, and in my experience trying to show content that’s specific to a geographic region causes more problems than it solves.

      • NovusBogus
      • 12 months ago

      Short term, nothing much beyond more evidence that putting everything online because ermagerd data collection is about the dumbest idea that anyone in the tech industry has ever had, that everyone involved in it should be banished to the fiery pits of Dell for all time, and that critical internal infrastructure should be airgapped. They can’t steal your IP or cripple you as the opening move in World War IV if they can’t establish a connection.

      Longer term, strategic assets should not be made by one’s geopolitical rivals. Especially if the relationship is less worthy-adversaries and more BDSM kinkfest.

    • Leader952
    • 12 months ago

    [quote<]Amazon says that it's untrue that "[Amazon Web Services] worked with the FBI to investigate or provide data about malicious hardware;" Apple writes that it is "not aware of any investigation by the FBI," and Super Micro similarly is "not aware of any investigation regarding this topic." Apple suggests further that Bloomberg may be misunderstanding the 2016 incident in which a Super Micro server with malware-infected firmware was found in Apple's design lab.[/quote<] [url<]https://arstechnica.com/gadgets/2018/10/bloomberg-super-micro-motherboards-used-by-apple-amazon-contained-chinese-spy-chips[/url<]

    • Dposcorp
    • 12 months ago

    This is why I only buy 100% USA made motherboards. <rolls eyes>

      • chuckula
      • 12 months ago

      While buying a U.S. motherboard is practically impossible, not every motherboard is made in China either (I hope).

        • kuraegomon
        • 12 months ago

        Actually, pretty much.

          • Thrashdog
          • 12 months ago

          Five minutes of Googling suggests that Gigabyte has a plant in Taiwan, but that they may be the only major manufacturer that does. Almost all of the rest use mainland-Chinese plants.

          That said, China’s operation here was high-risk, and it’s possible that desktop components don’t offer enough rewards from a state-level espionage standpoint to be viable targets. We will have to see what inevitable further research turns up.

      • egon
      • 12 months ago

      My circa 1996 main rig had a US-made Supermicro motherboard. “Made in USA” was one of their selling points back then – some boards even had a little US flag stuck to them.

        • kvndoom
        • 11 months ago

        I believe they were the last mobo manufacturer to build in the US.

    • CScottG
    • 12 months ago

    OMG!

    My motherboard may have the filthy Sino baked-in (..err, like probably 99.99% of phones).

    • blastdoor
    • 12 months ago

    Apple has issued the strongest, most unequivocal rejection/denial that I’ve ever seen from them in response to this story. I don’t see the wisdom in Apple lying about this.

    Yet I tend to view Bloomberg as a pretty reputable source.

    So I’m not sure what to think

      • drfish
      • 12 months ago

      Likewise. It’s a head scratcher. As has been said elsewhere though, “that’s exactly a PR department under a government gag order would say.”

        • ludi
        • 12 months ago

        I don’t know about that. Very Specific Statements by a public company that turn out to be knowingly false are actionable in the eyes of both the SEC and the shareholders’ lawyers.

        The only way around that problem is if there was a massive counterintelligence operation underway, for which the key actors had all been given a script to read and a promise of federal immunity for doing so. And the number of people in who would have to be both in-the-know yet keeping a perfect lid on things would strain credulity.

        My best guess is that China does have a program to do exactly the things described in this article, and that some engineered prototypes got into the wild somewhere. A few Tom Clancy wannabees with connections to the cybersecurity industry, possibly as federal subcontractors working in the field, found out about it. They inferred connections between the data they had and some ordinary cybersecurity episodes that took place within Amazon, Apple, and SuperMicro, then found a pair of Bloomberg reporters eager to follow along.

        Take a look at Jordan Robertson’s author history at Bloomberg. “Hacking Hackers Hacked all the Hackable Hackware” about summarizes it. I get SemiAccurate vibes just looking at the title list.

          • egon
          • 12 months ago

          The story claims two AWS insiders, three Apple insiders, six US government officials and ’17 people in all’ as sources, so the few Tom Clancy wannabees theory doesn’t really satisfy as an explanation, at least not on its own.

            • ludi
            • 12 months ago

            Yes, it claims that, but a story like this can also start with a small core of True Believers and then infect a larger circle as a side effect of trying to flesh it out.

            One of the devlish things about trying to assemble this kind of story is that the people best positioned to know the facts are usually the least likely to be talking, and the people most willing to talk often have a mixed up version of events due to rumors, innuendo, or wanting to appear smart while failing to grasp the depths of their own ignorance. And unless the reporter is extremely crafty in their line of questioning, there’s a pretty good chance they’ll be asking leading questions in order to get the information flowing, and that can lead a shaky witness to start making mental connections between disparate facts that didn’t necessarily exist in the real event.

            I’m not accusing the Bloomberg writers of lying or even deliberately getting it wrong, but if only 40% of this story turned out to be materially correct as-written, that would still be a pleasant surprise.

        • blastdoor
        • 12 months ago

        But if they’re under a “gag order”, wouldn’t they just say nothing? That would actually be most consistent with Apple’s usual approach to stories they don’t agree with — ignore them.

        Yet the story does seem plausible and Bloomberg isn’t a tabloid. So yeah… head scratcher.

          • BurntMyBacon
          • 11 months ago

          There is also the possibility that the individuals interviewed have no knowledge of it being an issue. They wouldn’t want people to think that their services were compromised without reason. You’d have a significant number of people jumping to competing services based on a naive notion that this issue is limited to Apple. On the other hand, that line of reasoning could also constitute the “wisdom in Apple lying about this” that you mention in your previous post. So there is still the possibility that Apple is simply not being truthful. Of course a third possibility is that Bloomberg simply got it wrong, but enough of the facts line up that I find it the least probable of the three.

            • blastdoor
            • 11 months ago

            The risks of lying are huge, though. You get caught and your reputation is seriously damaged. Apple makes a lot of money off it’s brand reputation — it can’t afford to mess with that.

            • BurntMyBacon
            • 11 months ago

            Yet they and many other companies have been caught doing it before. There is plenty of opportunity to claim that the people interviewed had no knowledge of issue or that the company found the issues after the Bloomberg article went live. Of course, it is entirely possible that they have no issues here or that they haven’t yet found them internally. I’m just talking possibilities.

            • blastdoor
            • 11 months ago

            What examples of apple lying do you have in mind?

            They have certainly been selective in their presentation of benchmarks, but I don’t recall them faking a benchmark.

            I also recall them making mistakes — for example, saying product X will come out by a certain date and then missing the shipping date. But I don’t see that as a lie, just a failure to execute.

            But maybe I have some selectivity bias in my memory. Is there a clear case of bald face lying?

      • HERETIC
      • 12 months ago

      “Apple has issued the strongest, most unequivocal rejection/denial that I’ve ever seen from them in response to this story.”

      That’s confirmation in my mind………………………………………………..

      • Takeshi7
      • 12 months ago

      This will be really easy to figure out in the next few days. If Apple, Amazon, and Supermicro launch defamation/libel suits against Bloomberg, then Bloomberg is wrong. If they don’t, then Bloomberg is right.

        • blastdoor
        • 12 months ago

        Not really…. defamation/libel suits are very hard to win (at least in the US), and rightly so (free speech/press and all that).

          • BurntMyBacon
          • 11 months ago

          True, but just launching a suit would get media coverage and could be used as damage control. I suppose it depends on whether they believe it is worth the money as, like you said, it is very hard to win such a suit in the US.

            • blastdoor
            • 11 months ago

            For the most part, I think only cry babies launch, or threaten to launch, those types of suits. There are exceptions, of course, but they’re rare.

            • BurntMyBacon
            • 11 months ago

            Yeah. Have to agree with you there.

      • gerryg
      • 12 months ago

      You’re right, a profit-minded megacorporation that leeches excessive amounts of money from the unwitting consumer masses would never lie about something that could hurt their bottom line.

      • egon
      • 12 months ago

      Just finished watching a video where one of the reporters refers to the denials and gives a bit of a boilerplate ‘we stand by our story’ sort of response:

      [url<]https://www.youtube.com/watch?v=mYShybwfcdo&t=19m09s[/url<] Doesn't address why the companies issued denials, but that may be expecting him to engage in speculation. Earlier in the video he does suggest this is "not quite an ordinary criminal case that's being handled by the FBI", but an "ongoing counterintelligence investigation" for which we shouldn't "expect to see any public results".

      • brucethemoose
      • 12 months ago

      Maybe they’re going for plausible deniability? Keeping such a big security breach secret for years seems like grounds for SEC trouble, and both had legitimate excuses for abandoning Supermicro.

      • NovusBogus
      • 12 months ago

      I don’t know if it’s true or not. But I do know that if it is true, the wisdom you speak of probably looks a lot like a national security letter.

    • Kretschmer
    • 12 months ago

    I’m sure the NSA has their own backdoors installed in critical export hardware. I’d imagine that the best nation-states can do is a combination of whack-a-mole and gentleman’s agreements to not use state espionage tools for industrial espionage.

    But China’s CCP is in a race for time to climb the food chain as the country’s cost of living slowly pushes low-tier manufacturing elsewhere, and espionage is a great way to climb that ladder two rungs at a time.

      • nanoflower
      • 12 months ago

      I don’t think the NSA is putting exploits in every piece of hardware from a manufacturer. Instead they will target specific customers. Another difference is that the NSA would be looking for information related to national security while China goes well beyond that to all sorts of intellectual property that they can then farm out to Chinese companies.

      • cygnus1
      • 12 months ago

      The article even points out, the NSA and other western intelligence agencies prefer interdiction and modification of hardware en route to targets.

    • DancinJack
    • 12 months ago

    I don’t want to start a big political dust-up in the comments, but I do wonder if this has anything to do with the recent public comments by the Administration about China. Bolton/Pence/Trump have been especially hard on China this week (rightfully so IMO), and this story just bolsters that position.

      • cygnus1
      • 12 months ago

      It’s definitely possible this knowledge has played a part in all their decisions on Chinese trade since the article has this fiasco going back a few years into the previous administrations term. Could explain the entire ramp up of sanctions against China. And going full cloak and dagger, Trump could even be working with our allies that we appear to be pissing off with tariffs to make it look like he’s hard on everyone when really they all want to be extra hard on China.

      This is honestly the kind of hack I actually fear for impacting critical infrastructure. Makes it a lot easier to attack a target service/device if it comes to you for instructions instead of you having to break through network defenses to get at it.

        • nanoflower
        • 12 months ago

        I doubt that this has anything to do with the current actions against China as while Supermicro is well known to us, the enthusiast class, it’s going to be a very small player overall and not of much significance to our politicians. Plus China has been doing going after IP for a long time which is what the real issue is. This is just one new way for them to potentially gain access to that IP.

        I would also add that there have been discussions about the NSA and others developing similar technology for years. The only difference is that in the case of the NSA the work was done to target specific targets and not EVERYONE that buys hardware from a single company.

          • derFunkenstein
          • 12 months ago

          It doesn’t matter if Supermicro is relatively small, the government has a long-standing zero-tolerance (except when it suits them otherwise) policy against these alleged actions.

          • kuraegomon
          • 12 months ago

          [quote<]The only difference is that in the case of the NSA the work was done to target specific targets and not EVERYONE that buys hardware from a single company[/quote<] Bwaaaahahahaha - you're [i<]funny[/i<]

          • cygnus1
          • 12 months ago

          It’s not really about Supermicro’s size or how well known they are at all, but their customer base and where their hardware has ended up.

          I’m thinking you haven’t actually read the Bloomberg article. They’re alleging that Amazon basically sold off a datacenter in China because of how many Supermicro servers were there. It purportedly just would’ve been too suspicious to replace them all after discovering the tainted hardware. Also, Supermicro servers are all over the government, DoD, and military as well as deployed in some capacity in probably almost every datacenter.

            • nanoflower
            • 12 months ago

            yeah, I didn’t read the article. Though selling off the data center just put the problem on someone else. Not a good thing.

          • BurntMyBacon
          • 11 months ago

          [quote=”nanoflower”<]The only difference is that in the case of the NSA the work was done to target specific targets and not EVERYONE that buys hardware from a single company.[/quote<] When the NSA targets a specific individual/company/etc. they are trying to limit discovery of the exploit. A large scale operation like what China did is usually broad in what they are trying to accomplish. If there was a specific target, for instance, Microsoft, then they may not reach their target due to the issue being found in SuperMicro, Apple(?), and Amazon(?). Subsequently, any affected products Microsoft may have purchased would be far more likely to be detected.

      • K-L-Waster
      • 12 months ago

      This being political would only make sense if there was a non-Chinese alternative that the political actors could point people to. SuperMicro is the only US-based mobo maker I can think of, the rest are based in the far east.

      It’s a bit like saying “Harley Davidson isn’t American anymore! Buy… uhhhh… Honda?”

        • DancinJack
        • 12 months ago

        I just meant I didn’t want a left vs right argument in the comments by even mentioning it.

      • NovusBogus
      • 12 months ago

      It’s more likely that the two things simply came from the same place, i.e. decades of highly dysfunctional East-West relations are finally bearing all their rotten fruit.

        • DancinJack
        • 12 months ago

        Most likely, I just found the timing of the article and the extreme language of the Administration this week to be strange.

      • kamikaziechameleon
      • 11 months ago

      No, this was two parallel investigations coming together one with a double agent and one with private industry security.

      I saw and intelligence quote on bloomberg equating this in the intelligence field as, “seeing a unicorn jumping over a rainbow.” A manufacturer level hardware hack that got past everyone and w/o a leak on the chinese side we never would have figured it out.

      • Nictron
      • 11 months ago

      I listened to A SGT Report podcast this week and they mentioned some scary stuff around collaboration between communist agents and prior administration staff. If this is true it could be treason under your country’s laws.

      Time will tell but this does bolster the suspicions. I am from South Africa and the Chinese are nutritiously corrupt here and have there fingers in everything! Many of our service providers are filled with Chinese manufactured infrastructure!

    • just brew it!
    • 12 months ago

    If this turns out to be true, the only mitigating factor I see is the fact that it is supposedly attached to the motherboard’s remote management (IPMI) hardware, not the primary NIC.

    Any organization with decent security practices [i<]should[/i<] have their remote management infrastructure on a separate LAN or VLAN which is locked down (not exposed to the internet, and unable to initiate outgoing connections through the firewall). I'm sure a lot of places have dropped the ball on this though. Until we know more, my advice would be to unplug the remote management port if you've got a Supermicro motherboard and are using the remote management feature...

      • maxxcool
      • 12 months ago

      This^ Add to that any decent perimeter software would see C&C and or Remote Control protocols or at the VERY LEAST suspicious IP connections to said hardware.

      I believe it did occur, I am not doubting that. But if its in your data center you should be controlling every byte of data and know by heart every IP and mac address it is authorized to touch.

      edit ta=at

        • davidbowser
        • 12 months ago

        This was my immediate thought. In a “normal” company, there is little to no chance that a random outgoing C&C ping would be caught, but any sustained or total volume behavior like this would be found at a company as sophisticated as Apple or Amazon.

        For example, a company I used to work for had a security incident that was detected pretty early on. The compromised VM was moved to a honey-net environment to record any other connection attempts and with all sorts of open-source code and public garbage data for the intruders to sift through while the FBI was brought in to track them down.

          • maxxcool
          • 12 months ago

          agree, I think Bloom trumped this up to make is sound like ‘major’ super critical services were affected. Smaller firms affected, you bet this got through.. not everyone xrays lots of hardware to scan for blips out of place.

          And likely the smaller subcontractors WERE the actual targets. It is easier to gain access or map out your primary target via less secure third party links than hacking the primary target. Just think of the opportunities to snoop main ram or cpu data in transit to sniff PKI, encryption keys etc.. highly compressible small chunks of data that ruin a admins day.

      • SecretSquirrel
      • 12 months ago

      Almost every BMC I’ve used in the last 10 years has the ability to share the primary NIC with the system, or to have it’s own dedicated connection. Usually its just a setting toggle in the BMC configuration. Likewise, turning off remote management doesn’t shutdown the BMC, it just stops you from contacting it remotely. Nothing stopping it from calling out.

      In reality, if the article is even partially right about the capabilities of the hack, you cannot stop this in any way from the server itself. As the saying goes, once you have access to the hardware, you own the system. You can’t block it at the network level, that’s about it.

        • Klimax
        • 12 months ago

        If it has valid IP config…

      • CScottG
      • 12 months ago

      It’s one feature I don’t use.. even if it was not a baked-in back-door, it’s a huge security hole.

    • Captain Ned
    • 12 months ago

    Hey, it’s what happens when you contract out to the lowest bidder.

    The fact that nation-state 3-letter agencies do this sort of stuff isn’t exactly news, though.

      • chuckula
      • 12 months ago

      [quote<]Hey, it's what happens when you contract out to the lowest bidder.[/quote<] I wish the lowest bidder would give me additional hardware for free!

        • drfish
        • 12 months ago

        The hardware’s free, but the price you pay on the software side is [i<]pretty[/i<] steep!

          • morphine
          • 12 months ago

          Ah, I see you too have been ordering Cisco or Oracle.

      • kuraegomon
      • 12 months ago

      Yeah, and which 3-letter agency basically invented this playbook? (Hint: No Such Agency :-D)

    • chuckula
    • 12 months ago

    That is pretty crazy and really makes you want to tighten the tin foil hat.

    I’d have all kinds of technical questions as to what these malicious microcontrollers were really capable of doing since I highly doubt they were capable of exfiltrating full snapshots of system RAM in any manner that could escape detection for long. But if they were being used in a more subtle manner they could provide a platform to let an outside attacker insert software backdoors while bypassing standard OS security.

    SuperMicro was already in some financial trouble and this can’t be good news for them.

      • shank15217
      • 11 months ago

      We’re supposed to be a more technical crowd here. It would be too bad if Supermicro went belly up because of this, they make great white box servers.

      • anotherengineer
      • 11 months ago

      I wonder if it’s more misinformation for stock dumping like happened to AMD earlier this year?

Pin It on Pinterest

Share This