Bloomberg this week doubled down on its blockbuster report of Chinese spy chips inserted into the supply chain of a leading US server provider, claiming a leading telco found evidence of tampering.
The news site is under pressure after all main parties it claimed had been affected by the alleged sophisticated spying campaign vigorously denied the report. These included the server company itself, Supermicro, and customers Amazon and Apple — who were also backed by the UK’s GCHQ and the US Department of Homeland Security (DHS).
The unnamed telco was apparently hired by Yossi Appleboum, a former Israeli army tech specialist and now co-CEO of US-based Sepia Systems, to scan its datacenters.
According to the report, he uncovered “unusual communications” from a Supermicro server. A further inspection revealed an “implant” built into the Ethernet connector which appeared similar to other manipulations he’d seen by Chinese suppliers.
Supermicro claimed to have no knowledge of any unauthorized components and complained it was not given enough time or info to respond to the new allegations.
The latest hardware manipulation is different from the microchips alleged to have been placed on motherboards subsequently sold unwittingly to 30 major tech companies.
However, they had the same purpose, of providing unauthorized access to the network the server is installed on, and “were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China,” according to Bloomberg.
Experts have criticized the original story for containing few named sources. Apple has denied the allegations in the strongest terms, taking the unprecedented step of writing to lawmakers on the House and Senate commerce committees to reiterate these sentiments.
However, for some, it’s a timely reminder of the risks posed by modern global supply chains.
“It doesn’t require an implant from a nation state adversary,” argued Chris Day, chief cybersecurity officer at Cyxtera. “Organizations must protect themselves by practicing defense-in-depth, especially across their supply chain.”
Although the telco was unnamed, AT&T, Verizon and Sprint told Bloomberg it wasn’t them.