Motherboard Supply Chain Attack

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies – Bloomberg

I read this article in the fall of 2019. I cannot find my notes on it, but I somehow linked this 2018 article, which was largely debunked and ruled out as being too farfetched, to the Equifax breach. The main connection I made was that the Chinese government is the one behind the Equifax breach and the timing of the attack curiously coincided with the release and reports of the massive supply chain motherboard disruption effort by China.

In the end, I believed that the motherboard supply chain attack involving Supermicro was real, and I somehow saw Equifax, who I believe used Supermicro computer servers, as being “proof” that the supply-chain attack was legitimate. This is the big question that I do not yet know the answer to.

This brings me to the current news today: the story is real, and a large portion of motherboards manufactured for use in servers used in the U.S. have been exploited to relay information from the U.S. to China.

Trying to track what I think occurred, I guess it would look something like this:

Equifax breach occurs shortly before the report released in 2018 by Bloomberg > Reports released say that Supermicro servers are built on motherboards with a massive supply chain security flaw > Many companies use Supermicro servers, including Equifax.

My thinking was that the Equifax breach could have been an exit strategy employed by China because they knew their Supermicro operation might be compromised. If this was the position the Chinese government found itself in, what information would they choose to exfiltrate?

The banking/credit information of 1 in 3 Americans seems convincing.

The consensus seems to be from InfoSec professionals that the event actually occurred with Supermicro. Of course, this is something that the U.S. government has publicly denied (which is probably appropriate given the gravity of the situation). But that is to be expected, especially if the NSA had advanced knowledge of the Supermicro supply chain attack prior to the 2018 Bloomberg article breaking but was/is unable to do anything about it.

Here is the new story that came out a few days ago (“The Big Hack” (2018) -> “The Long Hack” (2021)).

Supermicro Hack: How China Exploited a U.S. Tech Supplier Over Years (bloomberg.com)

The question now is to find out for certain if Equifax used Supermicro components in their systems. If they did not, this remains a far-fetched theory, but it nevertheless ignites my creative passions.

-TFF


Posted

in

by

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *