A shot heard around the world was fired last week when Bloomberg published its article “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.” In it, Jordan Robertson and Michael Riley, explain how Chinese spies infiltrated nearly 30 U.S. companies by embedding malicious microchips in Supermicro motherboards. The motherboards, which were presumed to be of highest quality, were utilized inside of US data centers -- which then afforded bad actors easy access to massive amounts of sensitive information. As the article states, this was “the most significant supply chain attack known to have been carried out against American companies.”
To give even more context to the potential scale of this, Robertson and Riley quote a former U.S. intelligence official who said, “Think of Supermicro as the Microsoft of the hardware world.” He then continued, “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”
As the dust began to settle from the initial shock of what Bloomberg was claiming, most of the companies mentioned in the article vehemently denied its claims. Apple even wrote a letter to congress, saying the story was “simply wrong.” Both the U.K. National Cyber Security Center and U.S. Homeland Security have said they believe Apple and Amazon are telling the truth -- and that the alleged Supermicro hack never happened.
While I have no idea if the Bloomberg story is right or wrong -- I do know that supply chain attacks are already happening in the wild -- and this should be a wake-up call for all of us.
Software is Even Easier to Pollute than Hardware
While the Supermicro story pertains to an alleged attack on a hardware supply chain -- the scary truth is that it’s much easier for bad actors to infiltrate and hack a software supply chain. With hardware, you need to physically access something in order to conduct a hack. With software, you can do it from anywhere.
To this end, I’ve witnessed 10 events during the past 2 years that triangulate a serious escalation of software supply chain attacks. Specifically, adversaries have directly injected vulnerabilities into open source ecosystems and projects. In some cases, these compromised components have been subsequently and unwittingly used by software developers to assemble applications. These compromised applications, which are assumed to be safe, are then made available for use by consumers and businesses alike. The risk is significant -- and it’s unbeknownst to everyone except the person that intentionally planted the compromised component inside of the software supply chain.
Historically, software hacks have occurred after a new vulnerability has been publicly disclosed, not before. Effectively, “bad guys” have paid close attention to public disclosures -- and anytime a new vulnerability has been announced -- they move quickly to exploit it before “good guys” can patch it. It’s a great business model -- especially when you consider that only 38% of companies are actively monitoring and managing their software supply chain hygiene.
Today, the game has changed. Organizations now must contend with the fact that hackers are intentionally planting vulnerabilities directly into the supply of open source components. In one such example from February 2018, a core contributor to the conventional-changelog ecosystem (a common JavaScript code package) had his commit credentials compromised. A bad actor, using these credentials, published a malicious version of conventional-changelog (version 1.2.0) to npmjs.com. While the intentionally compromised component was only available in the supply chain for 35 hours, estimates are that it was downloaded and installed more than 28,000 times. Some percentage of these vulnerable components were then assembled into applications which were then released into production. The result is that these organizations then unwittingly released a Monero cryptocurrency miner into the wild -- and the perpetrators of the supply chain hack profited handsomely.
So, here’s the point. Whether the Bloomberg report on Supermicro is real or not -- the truth is that attacks are already happening on our technology supply chains -- both software and hardware. Furthermore, it’s much easier for bad actors to pollute the global supply of open source software components than it is for them to implant chips on computer motherboards. Now more than ever, it’s time to talk about ways to secure our supply chains.
