Join NexChange - the professional
network for the financial services
industry - and receive a free one-
year subscription to Forbes
Doubts Raised About Bloomberg's China Hacking Story
Last week Bloomberg Businessweek published a blockbuster story that detailed how manufacturing subcontractors in China allegedly carried out a complex attack on about 30 American companies, including Amazon and Apple, by implanting small microchips – “not much bigger than a grain of rice” – on the motherboard of servers used for compressing videos in a multitude of electronic devices.
According to Bloomberg Businessweek, the microchips were first discovered in 2015 when Amazon began conducting due diligence for a possible acquisition of Elemental Technologies, a Portland, Oregon-based startup that “made software for compressing massive video files and formatting them for different devices.” Amazon Web Services (AWS) hired a third-party firm to evaluate Elemental’s security, which “uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression.”
Elemental’s servers were assembled by Super Micro Computer Inc., a San Jose, California-based company that is also known as Supermicro. Elemental sent some of these servers to a third-party company in Ontario, Canada for a security test, as Bloomberg Businessweek reports.
Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
Bloomberg Businessweek also reports that U.S. investigators have been probing the alleged hack for three years now, “and determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines.”
However, either the Feds aren’t letting on yet that China was involved in a major hack of U.S. tech manufacturing – or Bloomberg Businessweek’s reporting might not hold up to further scrutiny. During a hearing before the Senate Homeland Security Committee on Wednesday, FBI Director Christopher Wray was cagey about what the agency knows – but appeared to cast doubt on Bloomberg Businessweek‘s story in response to a question from Senator Ron Johnson, chairman of the committee, about when the agency became aware of the alleged hack.
“I would say to the newspaper article or, I mean, the magazine article, I would say be careful what you read,” Wray replied. “Especially in this context.”
Johnson called on Wray to speak to the accuracy of the story, telling the FBI director that, “We don’t want false information out there.”
Wray said he couldn’t offer much detail because the agency has a policy of not confirming or denying that an investigation is underway.
Kirstjen Nielsen, secretary of the Department of Homeland Security, said at the same hearing that “we at DHS do not have any evidence that supports the article.” Meanwhile, Apple, Amazon and Supermicro all released emailed statements to Bloomberg Businessweek denying the veracity of the story.
However, New York magazine’s Jake Swearingen points out that it would be really weird for Bloomberg Businessweek to get this story as wrong as Amazon, Apple, Supermicro, the Department of Homeland Security and possibly the FBI are implying. Even though “it’s unthinkable for a large and publicly traded company to categorically and comprehensively deny the claims of an article like this unless they’re really not true.”
On the other hand, Bloomberg Businessweek is known as both one of the best, and one of the most cautious, publications in the world of business and national-security reporting. It’s equally unthinkable that it would have published a story this shocking without having reported it deeply (the reporters write that they have 17 sources) and having thoroughly checked it out legally.
As Swearingen notes, having 17 sources attached to the article unquestionably makes this a meticulously reported story from Bloomberg Businessweek. And it’s hard to imagine that all 17 sources misled the reporters.
But the doubts being raised about the story are also hard to ignore. It doesn’t mean the denials make the story wrong, but it does make it more difficult to accept it at face value until we hear more from the intelligence community.
Some stories are black and white; others have a gray area where the truth is found. This is starting to seem like the latter.
Photo: Getty iStock