A microchip planted by China on Supermicro motherboards used by organizations, including the CIA, the U.S. military, Amazon and Apple, left sensitive information vulnerable to hacking and underscores the importance of locking down the security of the supply chain whose vast tentacles reach out to touch organizations around the globe.
“It’s the equivalent of the Chinese putting their own Snowden in every agency and private company with elevated access and because it’s in hardware it be a nightmare to eradicate,” Brian Vecci, technical evangelist at Varonis, said, explaining that the hardcoded backdoor “gives an advanced threat persistent, privileged access to a variety of systems and data.”
It also pits not only government but private industry against nation-state actors. “The new and recent DHS alerts about the Chinese APT10 ‘RedLeaves’ cyberattack on cloud providers highlight the impossible problem faced by both enterprise and municipal government,” said CipherCloud CEO Pravin Kothari. “The impossible problem is that enterprise and government cannot face off against well-funded nation-state attackers or large scale organized crime. It is a ridiculous proposition to believe otherwise.”
Kothari called for the U.S. government “to step in and defend our internet infrastructure so that normal commerce and communications can continue unhindered.”
American authorities first began a classified investigation of the chips, believed to have been planted by the People’s Liberation Army (PLA), in 2015, according to Bloomberg/BusinessWeek, which broke the story after a multiyear investigative probe of its own.
The PLA inserted itself into the operations of subcontractors in China contributing to Supermicro’s motherboard and sneaked in the chips, which, among other things, can allow hackers to modify servers, insert code and gain access to information.
“These threat actors are playing a long game with pre-attacks like these that position themselves for devastating attacks down the road– they are testing their abilities and an organization’s vulnerabilities to see how far they can go,” said Vecci, who called the “attack…about as surprising as catching Cookie Monster with his hand in the cookie jar.”
What is surprising, he noted, “is that it has only taken decade or two for the digital world to become so inter-dependent – not just with hardware but with software -- today many systems have so much code in common that any upstream compromise is a widespread threat.”
For years, the security industry has warned the supply chain is vulnerable to widespread and damaging attack.
"There are very real and devastating business impacts to supply chain attacks,” said Stephen Boyer, CTO and co-founder, BitSight:micro. “We saw this last year with the Nonpetya ransomware attack -- which cost Maersk between $250 and $300 million -- and now, with [the] Supermicro attack.”
Malcolm Harkins, chief security and trust officer at Cylance, noted that “unfortunately the only surprising element about this attack is that it’s taken so long to be uncovered in a report. Supply chain compromise has been a concern for a long time, and there are multiple nation states with endless motivations who make attacks of this scale a certainty rather than a probability.”
The latest incident is a wakeup call that organizations can’t afford to ignore. “The path ahead is to carefully vet the supply chain,” said Neelima Rustagi, senior director, product management at Demisto. “Unfortunately, foreign countries manufacture most of our chips and systems, so it’s going to be tricky to protect against motivated nation-state actors.”
Kothari said success would be more likely through a collaborative effort between the U.S. and other governments worldwide. “We must do this within the rule of law, put all of the evidence out there in the view of the global community, and enlist the support of our allies to ensure we are successful,” he said.