A shot heard around the world was fired last week when Bloomberg published its article “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.” In it, Jordan Robertson and Michael Riley, explain how Chinese spies infiltrated nearly 30 U.S. companies by including compromised microchips in Supermicro motherboards, which those companies then used across data centers. Once installed in the data centers, those microchips could be accessed by the bad actors who could then control the motherboards from afar. As the article states, this was “the most significant supply chain attack known to have been carried out against American companies.”
To give even more context to the potential scale of this, Robertson and Riley quote a former U.S. intelligence official who said, “Think of Supermicro as the Microsoft of the hardware world.” He then continued, “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”
As the dust began to settle from the initial shock of what Bloomberg was claiming, most of the companies mentioned in the article vehemently denied its claims. Apple even wrote a letter to congress, saying the story was “simply wrong.” Both the U.K. National Cyber Security Center and U.S. Homeland Security have said they believe Apple and Amazon are telling the truth — and that the alleged Supermicro hack never happened.
Regardless of whether the Bloomberg story is valid, supply chain attacks are already happening in the wild, and this should be a wake-up call for all of us.
Software is even easier to pollute than hardware
While the Supermicro story pertains to an alleged attack on a hardware supply chain, the scary truth is that it’s much easier for bad actors to infiltrate and hack a software supply chain. With hardware, you need to physically access something in order to conduct a hack. With software, you can do it from anywhere.
To this end, I’ve witnessed 10 events during the past 2 years that triangulate a serious escalation of software supply chain attacks. Specifically, adversaries have directly injected vulnerabilities into open source ecosystems and projects. In some cases, these compromised components have been subsequently and unwittingly used by software developers to assemble applications. These compromised applications, which are assumed to be safe, are then made available for use by consumers and businesses alike. The risk is significant — and it’s unknown to everyone except the person that intentionally planted the compromised component inside of the software supply chain.
Historically, software hacks have occurred after a new vulnerability has been publicly disclosed, not before. Effectively, “bad guys” have paid close attention to public disclosures — and any time a new vulnerability has been announced, they move quickly to exploit it before “good guys” can patch it. It’s a great business model — especially when you consider that only 38 percent of companies are actively monitoring and managing their software supply chain hygiene.
So, here’s the point: Whether the Bloomberg report on Supermicro is valid or not, attacks are already happening on our technology supply chains — both software and hardware. Now more than ever, it’s time to talk about ways to secure our supply chains.
Brian Fox is SVP and Chief Technology Officer of Sonatype.