Waking up from a nightmare. (Probably. For now...)
Bloomberg's report of a Chinese hardware seeding attack on the IT supply chain came in for additional criticism this week. Both Apple and Amazon immediately denied the truth of the report as soon as it was published. The UK's National Cyber Security Centre said it had no reason to doubt the denials, and the US Department of Homeland Security followed suit: "Like our partners in the UK...at this time we have no reason to doubt the statements from the companies named in the story."
Bloomberg offered partial corroboration Tuesday. Norway's National Security Authority said that it has been "aware of an issue" with respect to Supermicro devices since June, but couldn't confirm Bloomberg's report. A Maryland security firm, Sepio Systems, told Bloomberg it had found the Chinese spy chips on some Supermicro components in a client's servers. A nondisclosure agreement prevented them from saying which client it was, but they did say it was a telecommunications company (Bloomberg). Motherboard says it hasn't been able to find an affected telco.
Rob Joyce, NSA's senior advisor for cybersecurity strategy, said Wednesday he's seen no evidence the campaign happened. He pointed out that denials by Apple, Amazon, and others matter. Their directness and specificity would expose the companies to considerable legal risk if they proved untrue. "What I can't find are any ties to the claims in the article... If somebody has first-degree knowledge, can hand us a board, and point to somebody in a company that was involved in this as claimed, we want to talk to them" (RealClearPolitics). Congress is preparing its own investigations (Washington Post).
This supply chain attack would be a "nightmare," wrote the Daily Beast, but the world may be waking to realize that (this time) it was all a bad dream. There's been considerable skepticism across the security industry, and two of the story's sources clarified their statements in ways that undermine the account (Malwarebytes). Many observers point to an a priori implausibility: if China had these chips, why would they resort to the other techniques so often seen (Ars Technica)?
Sophos has suggestions about what to do against the possibility that the nightmare might come true. First, partition networks. Second, use two-factor authentication. And third, keep logs and use them (Naked Security).