Bloomberg Businessweek - The Big Hack

The Chinese government has put secret spy chips on US government servers. They’re stealing secrets from Apple and Amazon. And the US government is engaged in a massive effort to prevent us from learning anything about it, for unknown reasons.

Maybe.

How about this: the US government is mounting a full-court disinformation campaign, spreading lies through multiple sources to discredit China and gain an advantage in trade wars – and taking down a huge media entity as collateral damage.

Maybe.

It all starts with a magazine article.

In early October, Bloomberg Businessweek published a story that rocked the technology and cybersecurity worlds. In The Big Hack, veteran reporters Jordan Robertson and Michael Riley reported that Chinese spies had managed to insert secret chips inside motherboards used by as many as 30 US companies, including Apple and Amazon, and multiple US government agencies. The reporters alleged that the tiny chips in Supermicro motherboards would allow China to steal trade and other secrets from the US – and potentially even allow the Chinese to control the servers.

There are many unanswered questions about the article at the beginning of 2019, three months after publication. At some point we may know more about the underlying facts and the reporting that gave rise to the story. But right now, it is the most interesting technology story of 2018 (and possibly 2019) because the questions it raises are profoundly important even if the story turns out to be completely wrong.

 


The Story

Bloomberg Business Week - how the China microchip worked

Supermicro is a US company that uses Chinese manufacturing facilities to make highly customizable motherboards, selling over $2 billion a year of servers and motherboards to Apple, Amazon, and many other US companies and government agencies. The Bloomberg article alleges that the Chinese People’s Liberation Army (PLA) quietly bribed or threatened four subcontractors to modify the design of Supermicro motherboards to include a tiny chip – smaller than a grain of rice – that would allow the PLA to take over the server or at least send information back to China.

The article goes on to describe a top-secret government investigation triggered by Amazon’s discovery of the chip in servers marketed by Elemental that used Supermicro motherboards. “Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.”

The reporters claim that Apple independently discovered suspicious chips in Supermicro servers in May 2015. “Two of the senior Apple insiders say the company reported the incident to the FBI but kept details about what it had detected tightly held, even internally. Government investigators were still chasing clues on their own when Amazon made its discovery and gave them access to sabotaged hardware, according to one U.S. official.”

Bloomberg reached out to Apple, Amazon and Supermicro prior to publication. The companies unequivocally denied the allegations. But Bloomberg decided to publish the story anyway because it was so confident in the large number of sources who had confirmed all the details in the story over the course of a lengthy investigation. “The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks.”

Chinese spies with access to sensitive US and corporate data! Bloomberg knew this was a bombshell story and clearly intended to change the tech conversation in this country.

That’s not quite what happened – and that’s the interesting part.

 


The Reaction

Bloomberg - the China Supermicro story exploded

The story exploded.

Super Micro lost over 40% of its value the day after publication. Apple and Amazon fiercely denied the report in public statements on the day the article appeared. Government officials denied any knowledge of the investigations described in the article. Motherboard specialists closely examined every Supermicro board in sight, trying to find the elusive extra chip. Security experts combed through the logs of every packet going in and out of large companies, looking for unexpected bits on their way to China.

No corroborating evidence turned up – no photos, no statements on or off the record, no unexplained log entries.

Bloomberg did not back down. It issued a statement that said, in part: “Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews. We stand by our story and are confident in our reporting and sources.”

Then the heat on Bloomberg was turned up.

Apple’s denial of the claims in the story continued unabated – vociferous, detailed, and unambiguous. Tim Cook went on the record to state flatly, “There is no truth in their story about Apple. They need to do the right thing and retract it.” Apple has never previously called for the retraction of a story. Apple senior engineers have said repeatedly that everything about Apple in the Bloomberg story is completely false.

Amazon’s denials were equally clear, broad, and unambiguous, and Amazon Web Services CEO Andy Jassy joined Apple in demanding a retraction.

Supermicro hired a third party company to audit their motherboards. Supermicro reported that the audit had found nothing whatsoever: “After a thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards.”

The secretary of the Department of Homeland Security denied the report in a Senate hearing. Senior NSA cybersecurity officials denied the report.

Bloomberg has quietly been seeking additional corroboration for the story but has not publicly altered its stance. It is standing by its story.

 


The Mystery

Bloomberg, China and Supermicro: the mystery

There are three possibilities. Each leads to some difficult unanswered questions.

(1) The article is completely fabricated or based on such gross misunderstandings that the reporters bear all the blame.

(2) The article is true or has significant elements of truth.

(3) The article is based on accurate reporting of the information Bloomberg obtained from sources but it is nonetheless completely false.

Let’s follow each one.

 

Theory 1: The reporters blew it

Criticism of the article has been fierce. You can find experts who say the attack described in the article is impossible. (Others point out that hardware-based attacks are absolutely possible, even if the article’s language is imprecise.) One of the named sources in the story says the reporters presented his hypotheticals as if they were actually happening.

As time goes on, it seems more likely that something is wrong with the story. The reporters may have carried things too far and forced statements to fit their narrative. But it doesn’t sit right to dismiss the article as a work of fiction or gross negligence and stupidity.

This article wasn’t written by a couple of bloggers running amok without supervision. Bloomberg is an old-fashioned media company that does journalism, and journalism matters.

Bloomberg is a ten billion dollar company that runs a wire service, a global television network, newsletters, magazines, and websites. It has spent decades earning credibility as a news source. Bloomberg Businessweek is one of its flagship properties and is respected as a reliable source of business news and analysis. This story was clearly intended to bolster Bloomberg Businessweek’s reputation for investigative reporting.

The two reporters credited on the story did not work alone. There was almost certainly a small army of editors, executives, and committees that vetted the article before it was made the cover story of Bloomberg Businessweek. If Bloomberg is to be believed, the reporters gathered information for more than a year, including more than a hundred interviews. The reporters have been covering enterprise technology for a long time and undoubtedly consulted technical experts during the preparation of the story.

I can’t make myself believe that Bloomberg editors and reporters spun a gossamer web of conspiracies and spies and destroyed Bloomberg Businessweek’s credibility for the sake of a few clicks. (And there’s yet another possibility, which is that Bloomberg knowingly published a fake story as a willing shill for the administration. Let’s hope for the sake of our country that we’re not at that point.)

 

Theory 2: The article is true

Imagine that Bloomberg is onto something, and the government wants to cover it up.

There are a couple of problems with that. The biggest one: publicly traded companies don’t flatly lie in public statements. They evade. They change the subject. They find ambiguous words. But they don’t – they can’t – say things that are complete lies. That’s why it’s so interesting that Amazon and Apple both denied the story unambiguously, forcefully, in a way that left no wiggle room and no details unaddressed.

The other problem is the sheer number of different sources cited by the reporters – people in different positions at Amazon and Apple, people in several different government agencies. If the story is even remotely true, then it also potentially could be verified by others who were not sources and could comment on or off the record.

For the government to keep a lid on this story, it would have to execute a flawless cover-up, obtaining (or compelling) the silence of the leaders of the largest companies in the world as well as engineers and security officials throughout the government and multiple private companies. There is no reason to think that any administration (especially this one) could carry that off without a leak, no matter what was at stake.

If the article is true and the government is engaged in a cover-up, there must be something hugely important at stake. What national security secrets are so important that they are worth that kind of effort?

 

Theory 3: The sources told Bloomberg what was reported, but the sources were making it up

There’s another possibility that’s even deeper down the conspiracy rabbit hole.

Look again at the article. It’s got many specific statements attributed to specific sources: according to the reporters two senior Apple insiders said the company reported an incident to the FBI; a government official and two Amazon Web Services insiders provided extensive information about the Amazon discovery; three Apple insiders and four government officials confirmed that Apple was a target; and so on.

It seems clear that the Bloomberg reporters talked to a lot of people and they were told a lot of specific things. What if the article accurately reflects the story told to the reporters by their sources? That would require an equally flawless effort by the government to create a fabricated story and convince people in many different government agencies and private companies to be anonymous sources as Bloomberg was led along the path.

It’s unlikely. Big conspiracies almost never happen. People aren’t that good at lying and there’s always someone to spill the beans.

But is it impossible? According to a report published two weeks before the Bloomberg article, “The Trump administration is planning to launch a major, administration-wide, broadside against China. . . . The broadside – planned to be both rhetorical and substantive – will be “administration-wide,” including the White House (led by senior officials on the National Security Council), Treasury, Commerce and Defense.” Sources allegedly said that the White House would “unveil new information about China’s hostile actions against America’s public and private sectors”, including China’s activity in cyberattacks and industrial warfare.

The Trump administration has several reasons to attack China: it diverts attention from Russia; inflaming anti-China public opinion helps garner support for Trump’s trade war; and perhaps China deserves it.

In the last few months, federal officials have been arguing aggressively that China has stolen American technology through hacking and industrial espionage. We are told that China was behind the Marriott hack that was in the news last month, as well as the hack of the US Office of Personnel Management database and of Anthem Insurance in 2014. US officials have described a massive Chinese government effort to build dossiers on US citizens. You can’t buy a phone in the US made by Huawei – the second largest phone manufacturer in the world, ahead of Apple – because of intense government pressure to be afraid of devices made in China, although no specifics have ever been provided. We caused Huawei’s CFO to be arrested in Canada for no particular reason other than to escalate tension with China.

I can’t quite shake the possibility that Bloomberg was a pawn in a disinformation campaign by the US government to whip up anti-China sentiment.

Probably not! If Bloomberg had only spoken to NSA officials, say, we might be more suspicious, but the reporters talked to too many people in too many places for the government to control the whole thing without anyone coming forward now to expose the operation.

And yet, and yet . . . . I wish I felt completely confident about that.

At some point there will be some follow-up to this story. Perhaps Bloomberg will retract the story with a convincing explanation of how it made such a terrible mistake, taking a hit to its credibility and probably destroying the careers of the reporters.

Who did those reporters talk to? What did the sources say and why did they say it? If Bloomberg retracts the story, should we believe the retraction, or is it just one more step in the cover-up? Where is the truth in a world where truth is fluid?

Share This