Well, it’s been a great week of podcasting. At the end, I usually ask my guests what they think the number one Cyber threat that is out there: Their common answer is the Critical Infrastructure. This can include anything ranging from our gas pipelines to the water supply and even the oil and gas industries. Heck, even our government services, such as the E911 system, and public alert system are all at risk.
But the Critical Infrastructure also boils down to one more thing: Our logistics and supply chains. This is an area which is very often overlooked, and not it is not until now that is getting the attention of Cyber security specialists.
The catalyst for this has been the news that Chinese based Cyber attackers have been able to gain access of the servers of over 30 high profile technology companies here in the United States, including that of Apple and Amazon.
Apparently, these Chinese hackers implanted tiny surveillance chips on the servers that are used by these firms. This allowed them to covertly hijack technology secrets, as well as government and corporate data. Now, an important point has to be made here.
The Chinese threat actors did not actually come into United States and implant these specialized chips by posing as contractors, rather they were implanted at the time that these servers were manufactured in China. This will be addressed towards the end of the blog. The primary objective of this was to gain an easy entry point into one of these tech giant’s IT system’s in order to steal potentially confidential and proprietary information.
According to a report by Bloomberg, these surveillance cameras were literally the size of a rice grain which created a “ . . . stealth doorway into any network that included the altered machines.” (SOURCE: https://cyware.com/news/china-reportedly-implanted-surveillance-chips-ins-the-servers-over-30-major-us-tech-giants-8852a834).
Apparently, this attack began all the way in 2015, when the Chinese Cyber attackers infiltrated an organization known as Super Micro Computer, Inc. They manufactured the motherboards that were installed onto these servers. It was at this point in which the surveillance cameras were installed. During this time frame, Apple was using over 7,000 servers, which could have very well contained these tainted motherboards. These servers were being used to provide the critical functionality support for Apple’s Virtual Personal Assistant, Siri.
In fact, Apple was even planning to purchase up to 30,000 brand new servers containing the motherboard from Super Micro. Whether they continued with this procurement is still not known yet, and has at least not been confirmed at this time. All of this information has been provided by Bloomberg, which states that they have confirmed these details from 17 different, anonymous sources.
These surveillance cameras were also discovered by Amazon, and even reported to the FBI by them. They were noticed when the IT Staff at Amazon were conducting routine audits of the servers that they had received from China. But in this case, a different motherboard vendor was used by Amazon, called Elemental Technologies.
But, both Apple and Amazon vehemently deny that this all happened. This the story from Amazon:
“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental.” (SOURCE: https://cyware.com/news/china-reportedly-implanted-surveillance-chips-ins-the-servers-over-30-major-us-tech-giants-8852a834).
This is the story from Apple:
“On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.” (SOURCE: https://cyware.com/news/china-reportedly-implanted-surveillance-chips-ins-the-servers-over-30-major-us-tech-giants-8852a834).
And of course, the Chinese Government has had nothing to say when they were approached on this subject, all they could simply say was that they are a victim as well.
My thoughts on this?
This is of course a very serious issue. One should realize that all aspects of the logistics/supply chain are at grave risk, from the point of origination all the way to the point of destination, which are usually US maritime ports. Even here, Security has to be tight. But, the main concern is at the time the product is manufactured, and packed into the cargo holds for shipping.
From what I understand, there is hardly any Security measures that take place at this point, thus the Chinese Cyber attackers were able to do what they did. This trend is now increasing sharply in the software and hardware industry, and has all parties concerned.
This now comes down to an issue is, if companies here in the United States, especially the tech giants should now be required to audit each and every piece of hardware and software that comes from abroad.
This won’t happen, because the capital expenditure that is required to get such detection is steep, and very often, they may not even be able to detect something as small as the surveillance camera that the Chinese Cyber attackers deployed.
Companies like Amazon and Apple have the huge financial capital to simply get rid of any suspected servers that are tainted, and get new ones. But what about a small business? Obviously, they cannot afford to do this, so that is why there is a new trend now to move from On Premises solution to a Cloud based one, where there are much stricter controls on Security.
For example, many small businesses now make use of the Amazon Web Services (AWS) and Microsoft Azure, and reportedly, they do have some mechanism set into place that can detect for any thing malicious that has been added into their Virtual Servers. But, even this is still not yet enough to guarantee 100% protection.
So how does one fix this problem? The answer is there really may never be answer. Keep in mind that the logistics and supply chains are gargantuan industries, and it would take a massive upheaval of current processes in order to ensure any kind or type of safety. And if this were to occur, there are still Security risks that will be there.
One thought has been to treat electronic components and the entire manufacturing as parts of Critical Infrastructure, so that they would receive some sort of special attention when it comes to the implementation of safeguards. But then again this would require another entire revamp of the design processes of everybody involved, which again is impossible.
Probably the more immediate solution is to simply create newer Legislation that will hold individuals and third parties responsible if they are caught tampering with the logistics/supply chains, especially at the time of input. One such Legislation has been passed some time ago, and it is officially known as the “Customs-Trade Partnership Against Terrorism”, or “C-TPAT” for short.
In short, it requires that importers and exporters wanting to do business in the United States must abide by a strict set of Security protocols when they package their cargo overseas and ship it over to a US port of destination. I have actually written a detailed article about this for a client, and once it is published, I will post it here.
I guess the only thing we can do is the above, and simply hope and pray for the best, that nothing major will happen. It will all come down to a matter of trust, but in today’s Cyber world, that the meaning of that word is very difficult to achieve.