Reading, Research, and Discussion

Case Study: China’s Spy Chip

How is a hardware hack different than a software hack?

Hardware hacks tend to leave a virtually perpetual back door open to attacks. Hard to pull off, big rewards, but leaves a trace.

What are the two ways for spies to alter a computer’s hardware?

There are two ways to do this: In transit or at source.

Explain how the hack worked.

Nested on the servers’ motherboards, there was a tiny microchip, that wasn’t part of the motherboards’ original design. The chips allowed the attackers to create a stealth doorway into any network that included the altered machines. More specifically, as investigated, some of the chips were built to look like signal conditioning couplers, and they incorporated memory, networking capability, and sufficient processing power for an attack. These were then inserted into motherboards for use by Supermicro servers across large-scale U.S based/owned/run data centers globally. When switched on, these chips would alter the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code. The illicit chips could do all this because they were connected to the baseboard management controller, what is a Superchip.

How were investigators able to trace the chips back to the source?

When AWS reported the 'find' to U.S authorities, U.S. investigators followed the manufacturing trail - Elemental to Supermicro to Chinese subcontractors. They found that the chips were inserted during the manufacturing process, by operatives from a unit of the People’s Liberation Army. But before that, Apple noticed unusual network activity and firmware troubles associated with these motherboards. What it discovered it reported to the authorities, who then put their own cyber intelligence experts at work. They found that the microchips on motherboards from Elemental were specifically designed to look like signal conditioning couplers, another common motherboard component, than microchips, and so they were unlikely to be detectable without specialized equipment. Depending on the board model, the chips varied slightly in size, suggesting that the attackers had supplied different factories with different batches.