News outlet Bloomberg is continuing to stick by a report from its subsidiary Bloomberg Businessweek claiming that additional hardware components allowing back-door access were inserted into Supermicro hardware used by companies including Apple and Amazon, quoting a new source claiming to have uncovered evidence of the breach at a US telecommunications company.
Bloomberg Businessweek raised eyebrows earlier this month with a report claiming to have uncovered evidence that a nation-state attacker had implanted tiny components in server hardware manufactured in China on behalf of Super Micro Computer (known as Supermicro). These servers, the outlet's sources claimed, were then adopted by 30 companies including Apple and Amazon, providing the attacker with full access to the compromised hardware.
The companies named in the report quickly issued denials, and have since been joined by law enforcement and security services from the US and beyond. Experts have picked holes in Bloomberg Businessweek's story, including at least one quoted as supporting the theory, while imagery designed to highlight the appearance of the supposed back-door component has been revealed to be an off-the-shelf signal conditioner with no apparent modification.
Bloomberg, though, is continuing to stick to its story, and has now issued an update quoting security expert Yossi Appleboum as having discovered the same malicious components during his work for an unnamed US telecommunications company. 'Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that's used to attach network cables to the computer,' the paper reports Appleboum as confirming, citing 'documents, analysis and other evidence of the discovery' provided by Appleboum to its reporters in support of the claim.
Apleboum goes still further, claiming to have seen similar hardware-level attacks against devices from numerous vendors rather than exclusively Supermicro, blaming the 'Chinese supply chain' for making the attacks possible.
Supermicro, naturally, continues to deny the outlet's claims, reiterating that it has 'no knowledge of any unauthorised components and have not been informed by any customer that any such components have been found,' accusing Bloomberg of providing only limited information, no documentation, and only half a day to investigate and respond to its report prior to publication - an accusation Bloomberg refutes, claiming it provided a full 24 hours.
Investor response to the outlet's claims has been strong: On publication of the original story Supermicro's stock dropped 41 percent, with a further 27 percent loss following this latest report.
January 24 2020 | 12:00