Head over to our on-demand library to view sessions from VB Transform 2023. Register Here

A shot heard around the world was fired last week when Bloomberg published its article “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.” In it, Jordan Robertson and Michael Riley, explain how Chinese spies infiltrated nearly 30 U.S. companies by including compromised microchips in Supermicro motherboards, which those companies then used across data centers. Once installed in the data centers, those microchips could be accessed by the bad actors who could then control the motherboards from afar. As the article states, this was “the most significant supply chain attack known to have been carried out against American companies.”

To give even more context to the potential scale of this, Robertson and Riley quote a former U.S. intelligence official who said, “Think of Supermicro as the Microsoft of the hardware world.” He then continued, “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”

As the dust began to settle from the initial shock of what Bloomberg was claiming, most of the companies mentioned in the article vehemently denied its claims. Apple even wrote a letter to congress, saying the story was “simply wrong.” Both the U.K. National Cyber Security Center and U.S. Homeland Security have said they believe Apple and Amazon are telling the truth — and that the alleged Supermicro hack never happened.

Regardless of whether the Bloomberg story is valid, supply chain attacks are already happening in the wild, and this should be a wake-up call for all of us.


VB Transform 2023 On-Demand

Did you miss a session from VB Transform 2023? Register to access the on-demand library for all of our featured sessions.


Register Now

Software is even easier to pollute than hardware

While the Supermicro story pertains to an alleged attack on a hardware supply chain, the scary truth is that it’s much easier for bad actors to infiltrate and hack a software supply chain. With hardware, you need to physically access something in order to conduct a hack. With software, you can do it from anywhere.

To this end, I’ve witnessed 10 events during the past 2 years that triangulate a serious escalation of software supply chain attacks. Specifically, adversaries have directly injected vulnerabilities into open source ecosystems and projects. In some cases, these compromised components have been subsequently and unwittingly used by software developers to assemble applications. These compromised applications, which are assumed to be safe, are then made available for use by consumers and businesses alike. The risk is significant — and it’s unknown to everyone except the person that intentionally planted the compromised component inside of the software supply chain.

Historically, software hacks have occurred after a new vulnerability has been publicly disclosed, not before.  Effectively, “bad guys” have paid close attention to public disclosures — and any time a new vulnerability has been announced, they move quickly to exploit it before “good guys” can patch it. It’s a great business model — especially when you consider that only 38 percent of companies are actively monitoring and managing their software supply chain hygiene.

Today, the game has changed. Organizations now must contend with the fact that hackers are intentionally planting vulnerabilities directly into the supply of open source components. In one such example from February 2018, a core contributor to the conventional-changelog ecosystem (a common JavaScript code package) had his commit credentials compromised. A bad actor, using these credentials, published a malicious version of conventional-changelog (version 1.2.0) to npmjs.com. While the intentionally compromised component was only available in the supply chain for 35 hours, estimates are that it was downloaded and installed more than 28,000 times. Some percentage of these vulnerable components were then assembled into applications that were then released into production. The result is that these organizations then unwittingly released a Monero cryptocurrency miner into the wild — and the perpetrators of the supply chain hack profited handsomely.

So, here’s the point: Whether the Bloomberg report on Supermicro is valid or not, attacks are already happening on our technology supply chains — both software and hardware. Now more than ever, it’s time to talk about ways to secure our supply chains.

Brian Fox is SVP and Chief Technology Officer of Sonatype.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.