The story in Bloomberg Businessweek was lurid in the extreme. It read like an Ian Fleming novel, included stylized images of computer circuit boards and had pictures of a tiny chip. What happened, according to the story, was that Chinese hackers working for that nation’s military had found a way to insert a tiny surveillance chip on motherboards sold by Super Micro Computer to major U.S. companies and to the government.
The computers containing those motherboards were sold to about 30 organizations, including Apple and Amazon, the story said. The story also alleged that those companies removed the affected computers and worked with the government in an elaborate investigation. All of the companies involved now say it’s not true and that it never happened.
Whether the scheme went down as the report in Businessweek said it did is open to debate. A number of security experts find it unlikely and have suggested that such a plan had too many points of possible failure to be taken seriously. The idea that the Chinese government somehow managed to redesign the motherboards of these computers to accept this malware-laden chip and then to add the chips to the supply chain so that they were inserted into the build process strains credulity of the story.
Special Tiny Chip Isn’t Even Necessary
The process of redesigning and re-engineering a new motherboard is nontrivial. Ironically, the special tiny chip that makes up the story isn’t even necessary. Super Micro motherboards, like the motherboards from other companies, contain firmware on a memory chip that’s already on the motherboard. As the Russians found with their UEFI malware, you can put malware that does what the Chinese malware is said to do on that chip.
Such an attack is a much cleaner, much more secure means of delivering infected hardware, and it’s harder to find. If the Chinese had wanted to infect Super Micro servers, embedding the malware in the memory with the firmware would have worked. Perhaps more important, this has been the practice anyway.
Anthony James, vice president for cloud security for CipherCloud, points out that such attacks by China have been going on for years. “We ran into an attack that came out of China, called Zombie 0, that ran on a Chinese bar code scanner,” James said.
James said the infected scanners were found at a customer site, and when new scanners were ordered, they exhibited the same behavior of sending information to China. He said that his team created some fake data to see just what the malware was up to.
How to Defeat the Malware
James added that if the Super Micro servers are indeed infected with Chinese surveillance malware, it can probably be defeated by segmenting the network that the servers are on so that they can’t receive instructions from their command and control servers and so that their communications can be tracked.
But that’s not the real problem, despite the lurid description. The actual risks are both greater and less glamorous: The real risk is in the supply chain.
“The fact still remains that IT supply-chain security has been a concern,” said Theresa Payton, CEO of Fortalice Solutions and the former CIO of the White House under President George W. Bush. “You have businesses and government in the same boat. But we have trouble managing the supply chain risk.”
Payton said that as computers have become more sophisticated, and since they’ve become more global in their manufacturing, the supply chain has become more complex. “Supply chain security often falters where there’s supply chain complexity,” she said.
Payton also said that when tensions rise, it’s not surprising to see a nation-state flex its muscles, and one way is to insert malware into systems that be useful later. But until they’re needed, they just lie in wait. She called such malware installations “sleeper side doors” that can be used as leverage when needed. “You could see why a nation-state would want this,” she said.
Supply Chain Is the Most Important Environment
The problem is that it’s hard to control the supply chain with the current level of security, and creating the secure environment might require some kind of trust and verify practice. But the question is: How do you accomplish that?
This is an area where Congress needs to be engaged, to get hearings from the intelligence community and from law enforcement to develop new laws that help enable secure supply chains, according to Payton.
Meanwhile, she suggests that businesses inspect their supply chains to make sure they’re secure and that they look for places where there might be a problem.
But since it’s difficult to know for sure whether a server has a sleeper side door waiting inside, it’s important to assume it does. This includes proper network segmentation to keep command and control messages from getting in and to keep unauthorized data from getting out. In addition, CipherCloud’s James said, “You need access control lists on everything.”
You also need to look for outbound communications to servers where you don’t have business and, most importantly, to encrypt your data. Those side doors don’t do the Chinese or anyone else any good if they can’t use the data.