How China Used a Tiny Chip to Infiltrate U.S. Companies?

Bloomberg broke a story today about how Chinese spies reportedly inserted microchips into servers used by Apple, Amazon, and others. According to the article, Chinese spies have infiltrated the supply chain for servers used by nearly 30 US companies.

The chips were “not much bigger than a grain of rice,” reports Bloomberg, but able to subvert the hardware they’re installed on, siphoning off data and letting in new code like a Trojan Horse. According to Bloomberg, Amazon and Apple discovered the hack through internal investigations and reported it to US authorities.

The publication says there’s no direct evidence that the companies’ data — or that of users — was stolen or tampered with, but both firms worked quietly to remove the compromised servers from their infrastructure.

Ross Rustici, senior director, intelligence services at Cybereason, said: “This report highlights the fundamental vulnerability of the globally distributed supply chains that exist. Hardware interdiction as a means to enable spying or sabotage is a fairly old concept. The fundamental problem facing countries these days is that as globalisation has created economic efficiencies by offshoring labour intensive products, individual countries no longer provide single source construction for their national security components.

"This creates a massive vulnerability for anyone building a high tech weapon system today. While this particular supply chain infection happened at least three years ago, the state of supply chain vulnerability management has not improved substantially.

"Fundamentally, supply chain security is a cost problem. It is almost always conducted by a complicit insider, whether it is at the factory, a transportation agent, or customs official. This makes creating a tamper proof product extremely costly, the number of safeguards and other mechanisms required would drive up the cost of the product beyond market viability.  

"This incident should force government to re-examine how they inspect and certify critical hardware, however in the history of the spy wars, this will likely be forgotten as just another example of how countries are leveraging the global, vulnerable, supply chain for their own national security purposes.”