Expose' - The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies

[Winston]

The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.
4 Oct 2018

https://www.bloomberg.com/news/feat...filtrate-america-s-top-companies?srnd=premium

Selected excerpts:

Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

1. A Chinese military unit designed and manufactured microchips as small as a sharpened pencil tip. Some of the chips were built to look like signal conditioning couplers, and they incorporated memory, networking capability, and sufficient processing power for an attack.
2. The microchips were inserted at Chinese factories that supplied Supermicro, one of the world’s biggest sellers of server motherboards.
3. The compromised motherboards were built into servers assembled by Supermicro.
4. The sabotaged servers made their way inside data centers operated by dozens of companies.
5. When a server was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.

In espionage circles, infiltrating computer hardware - especially to the degree that the Chinese did - is extremely difficult to pull off. And doing it at the nation-state level would be akin to "a unicorn jumping over a rainbow," as one of BBG's anonymous sources put it. But China's dominance of the market for PCs and mobile phones allows it a massive advantage.

One country in particular has an advantage executing this kind of attack: China, which by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs. Still, to actually accomplish a seeding attack would mean developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location - a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle. "Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow," says Joe Grand, a hardware hacker and the founder of Grand Idea Studio Inc. "Hardware is just so far off the radar, it’s almost treated like black magic."

But that’s just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.

One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.

In emailed statements, Amazon (which announced its acquisition of Elemental in September 2015), Apple, and Supermicro disputed summaries of Bloomberg Businessweek’s reporting. "It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental," Amazon wrote. "On this we can be very clear: Apple has never found malicious chips, 'hardware manipulations’ or vulnerabilities purposely planted in any server," Apple wrote. "We remain unaware of any such investigation," wrote a spokesman for Supermicro, Perry Hayes. The Chinese government didn’t directly address questions about manipulation of Supermicro servers, issuing a statement that read, in part, "Supply chain safety in cyberspace is an issue of common concern, and China is also a victim." The FBI and the Office of the Director of National Intelligence, representing the CIA and NSA, declined to comment.

 

[Winston]

Continued:

In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.

The companies’ denials are countered by six current and former senior national security officials, who - in conversations that began during the Obama administration and continued under the Trump administration - detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.

Well before evidence of the attack surfaced inside the networks of U.S. companies, American intelligence sources were reporting that China’s spies had plans to introduce malicious microchips into the supply chain. The sources weren’t specific, according to a person familiar with the information they provided, and millions of motherboards are shipped into the U.S. annually. But in the first half of 2014, a different person briefed on high-level discussions says, intelligence officials went to the White House with something more concrete: China’s military was preparing to insert the chips into Supermicro motherboards bound for U.S. companies.

But that’s just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.

The chips on Elemental servers were designed to be as inconspicuous as possible, according to one person who saw a detailed report prepared for Amazon by its third-party security contractor, as well as a second person who saw digital photos and X-ray images of the chips incorporated into a later report prepared by Amazon’s security team. Gray or off-white in color, they looked more like signal conditioning couplers, another common motherboard component, than microchips, and so they were unlikely to be detectable without specialized equipment. Depending on the board model, the chips varied slightly in size, suggesting that the attackers had supplied different factories with different batches.

Officials familiar with the investigation say the primary role of implants such as these is to open doors that other attackers can go through. “Hardware attacks are about access,” as one former senior official puts it. In simplified terms, the implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips’ operation say. This happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.

Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device’s operating system to accept this new code. <strong>The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.

This system could let the attackers alter how the device functioned, line by line, however they wanted, leaving no one the wiser. To understand the power that would give them, take this hypothetical example: Somewhere in the Linux operating system, which runs in many servers, is code that authorizes a user by verifying a typed password against a stored encrypted one. An implanted chip can alter part of that code so the server won’t check for a password—and presto! A secure machine is open to any and all users.

 

[Winston]

Of course, this story might be a much more detailed attempt at something like this, but I doubt it:

AMD And CTS Labs: A Story Of Failed Stock Manipulation
Mar. 16, 2018

https://seekingalpha.com/article/4157242-amd-cts-labs-story-failed-stock-manipulation

 

[Winston]

It's Not Just The Hacking: It's The LIES

https://market-ticker.org/akcs-www?post=234281

Excerpts:

Incidentally the server I have here at the house has a motherboard in it made by them -- fortunately before the hacking game began. Needless to say I won't be buying a newer replacement from that company any time ever.

These boards are literally everywhere. They're quite-solid and, for those people running server farms and similar, have what is known as "IPMI", or a remote console capability that runs over a dedicated network port. This interfaces with the "BMC" module which is where the hack was placed.

The BMC module controls the system before it boots. It's another processor, basically, and interdicting it provides the potential to exfiltrate anything -- including the 900lb Gorilla, encryption keys.

The problem with such a setup is that in order to make it very hard to find you need to make it small. This in turn limits both the power you can put into the chip and its storage capacity, both of which will also be small. But that doesn't matter, really, because all you need is enough to work your way back to "mother" and grab whatever you want from that location and since these boards in a server architecture will have their management port connected, never mind that the BMC can attach to the other network ports (not just the dedicated one) as soon as the board is on a real network with outside access it can get back to its command point.

In short the problem is this:

"Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. 'You end up with a classic Satan’s bargain,' one former U.S. official says. 'You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.'”

As I have repeatedly warned over the last decade in this column that first article of faith is complete crap. The People's Liberation Army (PLA) is the government and business both in China. To believe that they wouldn't "jeopardize" their position is also crap for the simple reason that the entire premise of offshoring is to seek the cheapest price risks be damned as nobody in the United States in corporate or government work is ever prosecuted for screwing their customers.

Let me repeat that: NOBODY EVER GOES TO FEDERAL POUND-YOU-UP-THE-*** PRISON SO LONG AS YOU ARE A LARGE COMPANY OR GOVERNMENT AGENCY.

EVER.

---------

From the comment section about that column:

Krzelune: This is what HPE calls "Integrated Lights Out" or iLO. It allows remote controlling servers. It can be used when server is powered off. You can turn the servers on/off, remote control, load DVD's or ISO's for install on the server. You can basically do anything as if you were in front of it, as long as power is available and the iLO port is reachable on the network. Intel VPRO chipset on higher end corporate workstations do the same thing.

Tickerguy (author of the above column): Yep

Tarmoney: What are the odds this is limited to super micro?

Tickerguy: Zero.

 

[markkoelsch]

And we buy product, have product produced there, have our ip stolen, and in general do business with China why? At some point the rest of the world just needs to collectively say no to them, and cut them off. Cut them off at the knees.

Economic pain- yes, for a while. More so for them.

 

[Winston]

And we buy product, have product produced there, have our ip stolen, and in general do business with China why? At some point the rest of the world just needs to collectively say no to them, and cut them off. Cut them off at the knees.

Economic pain- yes, for a while. More so for them.

100% in agreement! Let me update this famous quote "A capitalist will sell you the rope you hang him with" to "A capitalist will give you or allow you to steal with no consequences the technology required to make the rope you hang him with... and then PAY for the rope!"



From various places:

As a superpower competitor, China is VASTLY more dangerous than the Soviet Union ever was due to Chicom capitalism and the greed induced stupidity of US manufacturers handing over IP to gain access to a market which they will never be allowed into in a SUSTAINED basis - China will simply use the willingly provided or stolen IP to set up their own industries.

Considering these FACTS, how INCREDIBLY F'ING STUPID would it have been considered to be to allow the Soviet Union to manufacture network hardware for US use had that sort of thing existed then?

----------

Though Amazon and Apple have denied it, according to Bloomberg, a private security contractor in Canada found the hidden chip on server motherboards. Elemental Technologies, acquired by Amazon in 2015 for its video and graphics processing hardware, subcontracted Supermicro (Super Micro Computer, Inc.) to manufacture their server motherboards in China. It is unknown how many of the company’s products have this type of malicious hardware in them, equipment from Elemental Technologies has been supplied to the likes of government contractors as well as major banks and even reportedly used in the CIA’s drone operations.

The solution is not a simple one if servers with this malicious chip were already out in the field. Even if you know a motherboard has the additional component, finding it is not easy. Bloomberg also has unconfirmed reports that the next-generation of this attack places the malicious component between layers of the circuit board. If true, an x-ray would be required to spot the additional part.

Animated GIF supposedly showing the location of the chip in one of the compromised boards:

----------

The BMC SPI flash memory attack vector is VERY credible, and perfectly plausible. Chinese manufacturers are known to be willing to put in back doors. It has happened before; see almost any Chinese-made security camera. And the usual big American companies always deny and bury and play down their frequent security breaches, it’s the standard practice every time. You think the SEC or any other agency in the US would levy consequences on them greater than the hit they’d take if they verified this? At the very least their attitude should be to look into it, not release a lawyery outright denial using sneaky phrasing.
...also consider that it’d been previously reported that Apple found malicious modifications to SuperMicro firmware that they also denied:

Apple deleted server supplier after finding infected firmware in servers [Updated]
Report: Siri, internal development servers affected by fake firmware patch.
2/24/2017

https://arstechnica.com/information...m-datacenters-because-of-bad-firmware-update/

A mid-2016 security incident led to Apple purging its data centers of servers built by Supermicro, including returning recently purchased systems, according to a report by The Information. Malware-infected firmware was reportedly detected in an internal development environment for Apple's App Store, as well as some production servers handling queries through Apple's Siri service.

An Apple spokesperson denied there was a security incident. However, Supermicro's senior vice-president of technology, Tau Leng, told The Information that Apple had ended its relationship with Supermicro because of the compromised systems in the App Store development environment. Leng also confirmed Apple returned equipment that it had recently purchased. An anonymous source was cited as the source of the information regarding infected Siri servers.

----------

The folks over at /r/homelab are already on the case:

https://www.reddit.com/r/homelab/comments/9lapzs/big_supermicro_hack_how_many_of_us_bought_these/

If this is true, someone will be able to verify it in pretty short order. It’ll be a feather in the cap of whoever’s able to confirm it first, so you better believe a lot of eyes are looking.

----------

This same guy has previously claimed that the recently revealed speculative execution exploits in Intel and, to a lesser extent, AMD CPUs make cloud computing completely untrustworthy:

As far as Amazon and Apple, among others, denying they were "victimized" by these boards, well, let me point out that there's no penalty for lying in this country anymore, those statements were not made under oath and even if they were there is a zero risk of any of their executives being prosecuted or jailed. Further, Amazon Web Services (AWS) [Cloud Computing Services] would be utterly decimated were it exposed that the management interface to these servers was compromised.

Well folks, it was compromised, and if you have any sort of brainpower available you damn well ought to stop fooling yourself when it comes to so-called "cloud" computing -- it isn't secure, it will never be secure and neither is your data if it's in such an environment.

Oh, and that's exactly how these big firms and government like it.

----------

Finally, THIS stupidity. Yeah, lets concentrate it all in one place to make it a really juicy target. Yeah, that's it, that's the ticket!:

Announcing the New AWS Secret Region
20 Nov 2017

https://aws.amazon.com/blogs/publicsector/announcing-the-new-aws-secret-region/

We are pleased to announce the new AWS Secret Region. The AWS Secret Region can operate workloads up to the Secret U.S. security classification level. The AWS Secret Region is readily available to the U.S. Intelligence Community (IC) through the IC’s Commercial Cloud Services (C2S) contract with AWS. The AWS Secret Region also will be available to non-IC U.S. Government customers with appropriate Secret-level network access and their own contract vehicles for use of the AWS Secret Region. These contract vehicles will not be part of the IC’s C2S contract.

With the launch of this new Secret Region, AWS becomes the first and only commercial cloud provider to offer regions to serve government workloads across the full range of data classifications, including Unclassified, Sensitive, Secret, and Top Secret. By using the cloud, the U.S. Government is better able to deliver necessary information and data to mission stakeholders.

 

[ttabbal]

These guys are a pretty good at tracking down this sort of thing..

https://www.servethehome.com/bloomb...d-the-supermicro-supply-chain-we-investigate/

While it's possible, and somewhat conceivable, I don't think the attack described is likely. It's far more likely that if there is a hardware component added, it's doing something like backdooring the BMC. And honestly, it would be far simpler to install a counterfeit, backdoored BMC directly. A hardware component, even a tiny one, is far more likely to be noticed. And a tiny chip isn't going to be able to do much. Even then, only an idiot exposes the BMC to the internet. Anyone qualified to work on this sort of gear knows the security risks the BMC creates if exposed.

Apple has already denied the claim publicly. While I'm sure there's an element of "they WOULD say that" in there, they are also risking SEC issues if they lie about it, so there is at least some reason for them to keep honest.

Right now, I think it's worth looking into by qualified security researchers. I'm very skeptical of this single sourced article with no technical detail. If some evidence can be found, I suspect a lot of supply chains are going to be severely disrupted.

 

[kuririn]

It joins the list: Chinese Huawei and ZTE cell phones, and Kaspersky Labs antivirus software. But I bet we're doing it to them the same time they're doing it to us. Just another new form of spying. Can you say Stuxnet?

 

[aerostadt]

A really good book to read is "The Hundred-Year Marathon" by Michael Pillsbury. The basic premise of the book is that the Republic of China is in a 100-year Marathon race that started in 1949 with Mao Tse-Tung's communist take over of China to replace the U.S. as the world power. In keeping with this thread the book points out the heavy influence of the People's Republic of China Army in influencing almost all national decisions and doing it quietly. What better way to assault the West than to put secret computer chips on computer boards and distribute them about the world. The idea that a kindly globalization is here to help us in a world of peace is not only naive, but could even be dangerous. With a smaller military than ours the Chinese can use asymmetrical assaults to even the odds.

Only a slightly different note, but again looking at how detrimental globalization can be, I saw on the news today that if the U.S. drops sales of the F-35 to Turkey, we may be in jeopardy of losing the Turkish suppliers of crucial parts for the F-35 itself, if the Turks decide to cancel sales to us.

 

[Winston]

These guys are a pretty good at tracking down this sort of thing..

https://www.servethehome.com/bloomb...d-the-supermicro-supply-chain-we-investigate/

While it's possible, and somewhat conceivable, I don't think the attack described is likely. It's far more likely that if there is a hardware component added, it's doing something like backdooring the BMC. And honestly, it would be far simpler to install a counterfeit, backdoored BMC directly. A hardware component, even a tiny one, is far more likely to be noticed. And a tiny chip isn't going to be able to do much. Even then, only an idiot exposes the BMC to the internet. Anyone qualified to work on this sort of gear knows the security risks the BMC creates if exposed.

Apple has already denied the claim publicly. While I'm sure there's an element of "they WOULD say that" in there, they are also risking SEC issues if they lie about it, so there is at least some reason for them to keep honest.

Right now, I think it's worth looking into by qualified security researchers. I'm very skeptical of this single sourced article with no technical detail. If some evidence can be found, I suspect a lot of supply chains are going to be severely disrupted.

Agree except for your SEC claim.

From the comments by others I posted above: "You think the SEC or any other agency in the US would levy consequences on them greater than the hit they’d take if they verified this?"

Also:

As I have repeatedly warned over the last decade in this column that first article of faith is complete crap. The People's Liberation Army (PLA) is the government and business both in China. To believe that they wouldn't "jeopardize" their position is also crap for the simple reason that the entire premise of offshoring is to seek the cheapest price risks be damned as nobody in the United States in corporate or government work is ever prosecuted for screwing their customers.

Let me repeat that: NOBODY EVER GOES TO FEDERAL POUND-YOU-UP-THE-*** PRISON SO LONG AS YOU ARE A LARGE COMPANY OR GOVERNMENT AGENCY.

EVER.

Then, there's this previous denial:

Apple deleted server supplier after finding infected firmware in servers [Updated]
Report: Siri, internal development servers affected by fake firmware patch.
2/24/2017

https://arstechnica.com/information...m-datacenters-because-of-bad-firmware-update/

A mid-2016 security incident led to Apple purging its data centers of servers built by Supermicro, including returning recently purchased systems, according to a report by The Information. Malware-infected firmware was reportedly detected in an internal development environment for Apple's App Store, as well as some production servers handling queries through Apple's Siri service.

An Apple spokesperson denied there was a security incident. However, Supermicro's senior vice-president of technology, Tau Leng, told The Information that Apple had ended its relationship with Supermicro because of the compromised systems in the App Store development environment. Leng also confirmed Apple returned equipment that it had recently purchased. An anonymous source was cited as the source of the information regarding infected Siri servers.

Also, as pointed out above, NO action by the SEC would even come close to totally -OBLITERATING- things like Amazon Web Services (AWS) as would occur if they actually admitted this. As also pointed out above, big corporations get a slap on the wrist which IN EVERY CASE I KNOW OF made the illegal behavior incredibly profitable - the fines don't even begin to recoup what was made via the illegal behavior. To prevent this there should be a high threshold "three strikes and you're out" penalty for corporations where an ultimate penalty like revocation of their corporate charter in the US, perhaps temporary, would be levied. I forget the number, but there would already be a large number of corporations in the US who would have experienced this penalty. But, of course, with our BOUGHT GOVERNMENT, like many things that should happen, this will never happen.

Finally, they could easily be exempted from any SEC action by a government issued national security letter gag order.

 

[Winston]

China would need lots of supercomputing power to digest all of the traffic it would get via these ALLEGED spy chips. Oh, look:

NSA, DOE say China's supercomputing advances put U.S. at risk
15 Mar 2017

https://www.computerworld.com/artic...-china-nearing-supercomputing-leadership.html

Advanced computing experts at the National Security Agency and the Department of Energy are warning that China is "extremely likely" to take leadership in supercomputing as early as 2020, unless the U.S. acts quickly to increase spending.
China's supercomputing advances are not only putting national security at risk, but also U.S. leadership in high-tech manufacturing. If China succeeds, it may "undermine profitable parts of the U.S. economy," according to a report titled "U.S. Leadership in High Performance Computing" by HPC technical experts at the NSA, the DOE, the National Science Foundation and other agencies.

"To maintain U.S. leadership in HPC," the report says, "a surge" of U.S. "investment and action is needed to address HPC priorities."

Concern about China's technical advances have been raised before by U.S. scientists and industry groups, but never in such striking terms -- or by representatives of a spy agency.

The NSA is gathering so much data, it’s become swamped and ironically ineffective at preventing terrorism
7 Sep 2018

https://www.zmescience.com/research/technology/nsa-overwhelmed-data-53354/

One of the most famous NSA whistleblowers (or the ‘original NSA whistleblower’), William Binney, said the agency is collecting stupendous amounts of data – so much that it’s actually hampering intelligence operations. [but he's been gone from the NSA for 17 YEARS; things may have improved since then - W]

Binney worked for three decades for the intelligence agency, but left shortly after the 9/11 attacks. A program he had developed was scrapped and replaced with a system he said was more expensive and more intrusive, which made him feel he worked for an incompetent employer. Plans to enact the now controversial Patriot Act was the last straw, so he quit. Since then, Binney has frequently criticized the agency and revealed some of its operations hazards and weaknesses. Among these, he alleges:

The NSA buried key intelligence that could have prevented 9/11;

The agency’s bulk data collection from internet and telephone communications is unconstitutional and illegal in the US;
Electronic intelligence gathering is being used for covert law enforcement, political control and industrial espionage, both in and beyond the US;
Edward Snowden’s leaks could have been prevented. Ironically, Snowden cites Binney as an inspiration.

His greatest insights, however, is that the NSA is ineffective at preventing terrorism because analysts are too swamped with information under its bulk collection programme. Considering Binney’s impeccable track record – he was co-founder and director of the World Geopolitical & Military Analysis at the Signals Intelligence Automation Research Center (SARC), a branch with 6,000 employees – I can only presume he knows what he’s talking about.

 

[markkoelsch]

China did this- I have no doubt. Maybe we should take back control of the internet name servers and cut them off. They want cyberwar give it to them. Cut their internet access[emoji3]

 

[Winston]

This was presented in headlines everywhere as disproving the hack. "at this time we have no reason to doubt the statements" Wow, what a strong denial immediately evolving into a PR message.

Statement from DHS Press Secretary on Recent Media Reports of Potential Supply Chain Compromise
Release Date: October 6, 2018

https://www.dhs.gov/news/2018/10/06...dia-reports-potential-supply-chain-compromise

“The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely. Just this month – National Cybersecurity Awareness Month – we launched several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains. These initiatives will build on existing partnerships with a wide range of technology companies to strengthen our nation’s collective cybersecurity and risk management efforts.”

Besides, why would corporations cover such things up, lying when needed?

Google Concealed Data Breach Over Fear Of Repercussions; Shuts Down Google+ Service
8 Oct 2018

https://www.zerohedge.com/news/2018...d-data-breach-which-exposed-user-data-hackers

Google opted in the Spring not to disclose that the data of hundreds of thousands of Google+ users had been exposed because the company says they found no evidence of misuse, reports the Wall Street Journal. The Silicon Valley giant feared both regulatory scrutiny and regulatory damage, according to documents reviewed by the Journal and people briefed on the incident.

In response to being busted, Google parent Alphabet is set to announce broad privacy measures which include permanently shutting down all consumer functionality of Google+, a move which "effectively puts the final nail in the coffin of a product that was launched in 2011 to challenge Facebook, and is widely seen as one of Google's biggest failures."

The software glitch gave outside developers access to private Google+ profile data between 2015 and March 2018, after Google internal investigators found the problem and fixed it. According to a memo prepared by Google's legal and policy staff and reviewed by the Journal, senior executives worried that disclosing the incident would probably trigger "immediate regulatory interest," while inviting comparisons to Facebook's massive data harvesting scandal.

Latest update. Different hardware hack with same goal and still Chinese:

New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom
The discovery shows that China continues to sabotage critical technology components bound for America
October 9, 2018

https://www.bloomberg.com/news/arti...cked-supermicro-hardware-found-in-u-s-telecom

A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company.

The security expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery following the publication of an investigative report in Bloomberg Businessweek that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.

Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland. His firm specializes in hardware security and was hired to scan several large data centers belonging to the telecommunications company. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client. Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that's used to attach network cables to the computer, Appleboum said.

The executive said he has seen similar manipulations of different vendors' computer hardware made by contractors in China, not just products from Supermicro. “Supermicro is a victim -- so is everyone else,” he said. Appleboum said his concern is that there are countless points in the supply chain in China where manipulations can be introduced, and deducing them can in many cases be impossible. “That's the problem with the Chinese supply chain,” he said.

The more recent manipulation is different from the one described in the Bloomberg Businessweek report last week, but it shares key characteristics: They’re both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China.

Based on his inspection of the device, Appleboum determined that the telecom company's server was modified at the factory where it was manufactured. He said that he was told by Western intelligence contacts that the device was made at a Supermicro subcontractor factory in Guangzhou, a port city in southeastern China. Guangzhou is 90 miles upstream from Shenzhen, dubbed the `Silicon Valley of Hardware,’ and home to giants such as Tencent Holdings Ltd. and Huawei Technologies Co. Ltd.

The tampered hardware was found in a facility that had large numbers of Supermicro servers, and the telecommunication company's technicians couldn’t answer what kind of data was pulsing through the infected one, said Appleboum, who accompanied them for a visual inspection of the machine. It's not clear if the telecommunications company contacted the FBI about the discovery. An FBI spokeswoman declined to comment on whether it was aware of the finding.

Appleboum said one key sign of the implant is that the manipulated Ethernet connector has metal sides instead of the usual plastic ones. The metal is necessary to diffuse heat from the chip hidden inside, which acts like a mini computer. "The module looks really innocent, high quality and 'original' but it was added as part of a supply chain attack," he said.

“For China, these efforts are all-encompassing,” said Tony Lawrence, CEO of VOR Technology, a Columbia, Maryland-based contractor to the intelligence community. “There is no way for us to identify the gravity or the size of these exploits -- we don't know until we find some. It could be all over the place -- it could be anything coming out of China. The unknown is what gets you and that's where we are now. We don't know the level of exploits within our own systems.”