A cry of “fake news” is making the rounds concerning the Chinese supplychain attack against Supermicro reported by Bloomberg.

Bloomberg reports all official statements (nationstates & corporations) deny the attack.

Supply Chain Attacks are feasible (tough but feasible) and make logical sense. Plenty of motive for plenty of actors.

If it is widespread, there’s plenty of opportunity for corroboration.

Time to crack open your own and have a look see!


I am currently in the "probably true, and probably far more widespread than Supermicro" camp...

just speaking from experience.

@tinker it is possible they only targeted boards going to specific companies as well. It sounded like that even the Amazon and Apple instances of the attack weren't all of the boards they had.

@ted @tinker

I have pulled logs from several clients running Supermicro servers in some capacity. a cursory glance reveals nothing of interest.

If it happened, it had to be specific boards, whether models, or customer IDs.

not every board got it if it exists.

@ted @tinker

Palo Alto logs...

that said, if there is something I should be looking for that I'm not... then it could be there, but one blocks all traffic to .CN and associated IP ranges... If traffic were headed there I'd see it.

they could be using a server stateside to C&C, and I might not find it this way.

@tinker One issue with this is that Bloomberg doesn't have an actual picture of the chip from what I can tell

@tinker especially if what they say is true and newer variations on the tech need xrays and splitting the silicon layers of the board to find.

The list of people who know how and what to look for gets really small at that point.

@tinker The Bloomberg article didn't seem persuasive to me. The lack of details. The denials. The depictions of shady agencies as heroic.

I'm not concerned enough to start checking my boards for tiny CPUs.

But I could be wrong and this is just my initial intuition. If they back it up with more independently verifiable technical details then that would be more credible.
@bob @tinker I will always be skeptical of bombshell stories from an unnamed source with not a single shred of corroborating evidence.

@tinker It's going to take me a while to go over everybody. I might have to speed up my next maintenance cycle (and book a couple of flights).

Here bloomberg.com/news/features/20

There's some back and forth as AWS is stating that it's not accurate, but it doesn't surprise me that they want to defend their quality and security standards.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.