Bloomberg Revisits their 2018 Story titled 'The Big Hack' in an updated report titled 'The Long Hack: How China Exploited a U.S. Tech Supplier'
In October 2018, Bloomberg posted a controversial report titled "The Big Hack," that was about how China used a tiny chip to infiltrate America's top companies like Apple and Amazon. Apple wasted no time in denying that they were hacked. Apple had even released a full press response wherein they noted that over the course of the past year, Bloomberg had contacted them multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, Apple conducted rigorous internal investigations based on Bloomberg's inquiries and each time they had found absolutely no evidence to support any of them. Apple had repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg's story relating to Apple.
Twenty-eight months later and Bloomberg is back with a follow-up report titled "The Long Hack: How China Exploited a U.S. Tech Supplier." This time the report expands on their original report with a much wider view of their investigation up to 2018, without new evidence.
In context with the streaming wars now in progress, perhaps Bloomberg is trying to get a documentary deal with Netflix or other major streamer, excluding Apple TV+ due to Apple vehemently denying the story in 2018. It could be as or more popular than the recently released documentary on Apple TV titled "The Dissident." Who doesn't like to learn about international spy agencies? There's always deniability and then discovery of half-truths and facts supporting a conspiracy. Most of these documentaries are full of holes but the storylines are always fascinatingly stitched together to produce a big question mark in your mind.
Bloomberg's follow-up report weaves such a compelling story with a mishmash of corporate and former government agency personnel testimony. And of course, some of the big targets in the report like Super Micro have lashed out at Bloomberg's report like any good villain would do in light of a powerful conspiracy theory.
(Click on image to Enlarge)
In an email response by Super Micro that stated the following: "Bloomberg’s story, as they have characterized it to us, is a mishmash of disparate and inaccurate allegations that date back many years. It draws farfetched conclusions that once again don’t withstand scrutiny. Despite Bloomberg’s allegations about supposed cyber or national security investigations that date back 10 years, Supermicro has never been contacted by the U.S. government, or by any of our partners or customers, about these alleged investigations. Bloomberg has produced no conclusions from these alleged investigations. Nor could Bloomberg confirm to us if any alleged investigation was even ongoing.
To the contrary, several of the U.S. government agencies Bloomberg claims had initiated investigations continue to use our products and have done so for years. Because we recognize that security threats are constantly evolving, we are vigilant and address issues as soon as we become aware of them. For example, years ago, Intel raised a question that we were not able to verify, but out of an abundance of caution, we promptly took steps to address. We have always valued our close partnership with Intel, which has always been strong. Bloomberg continues to attempt to revive its false and widely discredited 2018 story.
In response to those allegations, we have never found any malicious chips, even after engaging a third-party security firm to conduct an independent investigation on our products. Nor have we been informed by any customer or government agency that such chips have ever been found. In 2018, several public and private sector officials rebutted the story on the record.
Then-Secretary of the Department of Homeland Security Kirstjen Nielsen said we "do not have any evidence that supports the article," then-Director of National Intelligence Dan Coats stated that "we’ve seen no evidence" of manipulation of Supermicro products, Federal Bureau of Investigation Director Christopher Wray warned officials to "be careful what you read" about the 2018 Bloomberg claims, and Apple CEO Tim Cook said "it is 100 percent a lie, there is no truth to it" and urged Bloomberg to "do the right thing" and "retract their story."
Bloomberg's report then noted that "The Supermicro saga demonstrates a widespread risk in global supply chains, said Jay Tabb, a former senior FBI official who agreed to speak generally about China’s interference with the company’s products.
(Click on image to Enlarge)
Tabb, who was the executive assistant director of the FBI’s national security branch from 2018 until he retired in January 2020 told Bloomberg that "Supermicro is the perfect illustration of how susceptible American companies are to potential nefarious tampering of any products they choose to have manufactured in China. It’s an example of the worst-case scenario if you don’t have complete supervision over where your devices are manufactured."
Tabb declined to address specifics of the FBI’s probe. However in general he noted that "The Chinese government has been doing this for a long time, and companies need to be aware that China is doing this. And Silicon Valley in particular needs to quit pretending that this isn’t happening."
In another chapter of the story, Bloomberg notes that "As military experts investigated the Pentagon breach, they determined that the malicious instructions guiding the Pentagon’s servers were hidden in the machines’ basic input-output system, or BIOS, part of any computer that tells it what to do at startup.
Two people with direct knowledge said the manipulation combined two pieces of code: The first was embedded in instructions that manage the order of the startup and can’t be easily erased or updated. That code fetched additional instructions that were tucked into the BIOS chip’s unused memory, where they were unlikely to be found even by security-conscious customers. When the server was turned on, the implant would load into the machine’s main memory, where it kept sending out data periodically.
Manufacturers like Supermicro typically license most of their BIOS code from third parties. But government experts determined that part of the implant resided in code customized by workers associated with Supermicro, according to six former U.S. officials briefed on the findings.
Investigators examined the BIOS code in Defense Department servers made by other vendors and found no similar issues. And they discovered the same unusual code in Supermicro servers made by different factories at different times, suggesting the implant was introduced in the design phase.
Overall, the findings pointed to infiltration of Supermicro’s BIOS engineering by China’s intelligence agencies, the six officials said.
Small batches of motherboards with the added chips were detected over time, and many Supermicro products didn’t include them, two of the officials said.
Alarmed by the devices’ sophistication, officials opted to warn a small number of potential targets in briefings that identified Supermicro by name. Executives from 10 companies and one large municipal utility told Bloomberg News that they’d received such warnings. While most executives asked not to be named to discuss sensitive cybersecurity matters, some agreed to go on the record."
"This was espionage on the board itself," said Mukul Kumar, who said he received one such warning during an unclassified briefing in 2015 when he was the chief security officer for Altera Corp., a chip designer in San Jose. "There was a chip on the board that was not supposed to be there that was calling home—not to Supermicro but to China."
After his in-person briefing, Kumar said, he learned that peers at two other Silicon Valley semiconductor companies had already received the same FBI warning.
"The agents said it was not a one-off case; they said this was impacting thousands of servers," Kumar said of his own discussion with FBI agents.
Frank Figliuzzi, who was the FBI’s assistant director for counterintelligence until 2012 told Bloomberg that "Supermicro’s tale of woe is a chilling wake-up call for the industry." While declining to address specifics, Figliuzzi agreed to speak publicly about the implications of Super Micro’s history with Chinese tampering.
"If you think this story has been about only one company, you’re missing the point," he said. "This is a ‘don’t let this happen to you’ moment for anyone in the tech sector supply chain."
For the full story, read the updated Bloomberg report titled The Long Hack. As I stated earlier, don't be surprised if this story becomes a documentary designed for the streaming market in the next year or two. I personally think it would be a hit, no matter what the truth is.