Russia-based cybersecurity company Kaspersky Lab today said that while "hardware supply chain attacks are a reality," evidence suggests Bloomberg Businessweek's report about Chinese intelligence tampering with server motherboards manufactured by Apple's former supplier Supermicro is "untrue."
Kaspersky Lab said the report "should be taken with a grain of salt" in its 14-page analysis of the alleged attack, obtained by MacRumors:
The stories published by Bloomberg in October 2018 had a significant impact. For Supermicro, it meant a 40% stock valuation loss. For businesses owning Supermicro hardware, this can be translated into a lot of frustration, wasted time, and resources. Considering the strong denials from Apple and Amazon, the history of inaccurate articles published by Bloomberg, including but not limited to the usage of Heartbleed by U.S. intelligence prior to the public disclosure, as well as other facts from these stories, we believe they should be taken with a grain of salt.
Kaspersky Lab added that the language in both Apple and Amazon statements denying the Bloomberg Businessweek report are "pretty strong" and "leaves little to no chance of retractions or denials at a later time." The firm added that the statements are regulated by the SEC in the United States.
The key part of Apple's statement was as follows:
On this we can be very clear: Apple has never found malicious chips, "hardware manipulations" or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
In a press release, Apple later said it is not under any kind of gag order or other confidentiality obligations.
Referring to Apple's mid-2016 detection of malware-infected firmware in specific Supermicro servers that were used internally only, Kaspersky Lab said it believes it is "quite possible that the Bloomberg journalists misunderstood the incident and included it in the hardware supply chain attack story."
The analysis said hardware-based attacks like the one alleged in the Bloomberg Businessweek report are sophisticated, difficult to implement, and expensive. "For instance, even if a server board is compromised during manufacturing, it is complicated to ensure that it finds its way to a certain target."
The accuracy of Bloomberg Businessweek's report has been questioned by not only Kaspersky Lab, but the Department of Homeland Security, the U.K.'s National Cyber Security Centre, and NSA senior advisor Rob Joyce.
Moreover, Apple's recently retired general counsel Bruce Sewell said he called the FBI's then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Supermicro, and was told that nobody at the federal law enforcement agency knew what the story was about.
Apple's aggressive campaign to deny the report extends to unnamed senior executives within the company. Supermicro and Amazon, also named in the report, have likewise issued strongly-worded denials of the report.
Bloomberg Businessweek continues to stand by its reporting, and has since followed up with a second story that claims a major U.S. telecommunications company discovered manipulated hardware from Supermicro in its network and removed it in August, citing a security expert working for the telecom company.
The original report, citing 17 unnamed sources, claimed that Chinese spies planted tiny chips the size of a pencil tip on server motherboards manufactured by Supermicro at its Chinese factories. The servers were then sold to companies such as Apple and Amazon for use in their respective data centers.
An unnamed government official cited in the report said China's goal was "long-term access to high-value corporate secrets and sensitive government networks," but no customer data is known to have been stolen.
The report claimed that Apple discovered the suspicious chips on the motherboards around May 2015, after detecting odd network activity and firmware problems. Two senior Apple insiders were cited as saying the company reported the incident to the FBI, but kept details about what it had detected tightly held.
Apple dropped Supermicro as a supplier in 2016, after the incident with the malware-infected firmware updates.
We've covered Bloomberg Businessweek's report in extensive detail over the past week, with all of our coverage available in our "The Big Hack" archive. At this point, it remains a stalemate between Apple and Bloomberg.
Kaspersky Lab itself has faced controversy, with several reports over the last year claiming its software was compromised by Russian intelligence. Nevertheless, Motherboard said the firm "continues to have a good reputation in the industry," particularly as it relates to its ability to discover malware.
Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.
