A shot that was heard around the world was kicked last week when Bloomberg published his article "The Big Hack: How China Used A Small Chip To Filter American Companies." In that, Jordan Robertson and Michael Riley, explain how Chinese spies infiltrated nearly 30 American companies by including compromised microchips in Supermicro motherboards, which these companies then used over data centers. Once installed in data centers, these microchips could be reached by the bad actors who could then control the motherboards far away. As the article says, this was "the most important supply chain attack known to have been conducted against American companies."
To make even more connection with the potential size of this, Robertson and Riley quoted a former US intelligence officer who said: "Think of Supermicro as Microsoft by the hardware world." He then continued, "Attacking Supermicro motherboards are like attacking Windows. It's like attacking the whole world."
When the dust began to settle from the first shock of what Bloomberg claimed, most of the companies mentioned in the article refused its requirements. Apple even wrote a letter to the Congress, saying that the story was "simply wrong." Both the UK National Security Center and US Homeland Security have said that they believe that Apple and Amazon tell the truth ̵
The software is even easier to pollute than hardware
While the Supermicro story applies to an alleged attack on a hardware supply chain. Scary is that it's much easier for bad actors to infiltrate and hack a software supply chain. With hardware, you must physically access something to perform a hack. With software you can do it anywhere.
For this purpose, I have seen 10 events over the last 2 years that triangulate a severe escalation of software supply attacks. In particular, opponents have directly injected vulnerabilities into open source ecosystems and projects. In some cases, these compromised components have been used and unknowingly used by software developers to gather applications. These compromised applications, which are believed to be safe, will then be made available to both consumers and businesses. The risk is important – and it is unknown to all, except for the person who intentionally planted the compromised component inside the software supply chain.
Historically, software hackers have occurred after a new vulnerability has been published, not before. Effectively, "bad people" have noticed publication – and when a new vulnerability has been announced, they move quickly to exploit it before "good men" can patch it. It's a good business model – especially when you consider that only 38 percent of companies monitor and manage the supply chain software.
Here's the point: If the Bloomberg report on Supermicro is valid or not, the attacks are already valid on our technology supply chains – both software and hardware. Now, talking more about ways to secure our supply chains is more than ever.
Brian Fox is SVP and Chief Technology Officer of Sonatype.