New updates of the chinese Big Hack : between denial and proof
On October 4th, 2018, an investigation was published in Bloomberg’s Businessweek reporting that there was a hardware attack conducted in China by integrating malicious microchips on servers’ motherboards that were sold to more than 30 US-based companies including Apple, Amazon and Supermicro, the American giant server-maker.
Those chips were “the ultimate backdoor” that stayed hidden, who assured permanent access for their owners to all kinds of data circulating on the servers. The attackers, according to Bloomberg’s report, do not aim at usual consumer data; they specifically seek to guarantee long-time access to corporate and intellectual properties and sensitive governmental networks.
A year later, the exactness of the published story, is not confirmed yet. The companies themselves, senior US and Chinese governmental officers and many cybersecurity experts are still denying the affair. Apple’s CEO Tim Cook commented to Bloomberg’s report by saying: “They should retract their story, there’s no truth in their story about Apple”.
Amazon has also made a clear announcement by publishing a post saying: “there are so many inaccuracies in this article as it relates to Amazon that they’re hard to count.”
However, Bloomberg keeps standing by its story and insists on the reliability of its reporting and sourcing system. According to Jordan Robertson, the co-author of “The Big Hack”, this investigation was a fruitful one year work in which more than 100 interviews were made including highly qualified governmental officers and IT industrials.
He also qualified the denials to his story as a “typical policy for transparency purposes”. When asked about the unclear position of the US government he replied: “the US government is in a very tricky position because if they announce the breach this could potentially damage the US Company.”
True or not, this investigation has rung the bell for a less known hacking method. Attacking hardware is a very delicate issue to handle by companies’ cybersecurity departments which is only possible if better mechanisms of inspecting, testing and evaluating the hardware’s security are applied before using them.