In October 2018, Bloomberg published an article titled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” that sent shockwaves around the world. The implication – Chinese spies infiltrated nearly 30 U.S. companies by embedding malicious microchips in Supermicro motherboards. The motherboards, which were presumed to be of highest quality, were utilized inside of US data centers — which then afforded bad actors easy access to massive amounts of sensitive information. The article noted this was “the most significant supply chain attack known to have been carried out against American companies.” The implications of this hack captured global attention across every corner of the tech industry. No one was safe.
But, as the dust settled most of the companies mentioned in the article vehemently denied its claims. Apple even wrote a letter to Congress, saying the story was “simply wrong.” Both the U.K. National Cyber Security Center and U.S. Homeland Security said they believe Apple and Amazon are telling the truth — and that the alleged Supermicro hack never happened. Was the biggest physical supply chain attack in history a hoax? We may never know.
What we do know however, is that members of the Chinese People’s Liberation Army have now been indicted for conducting the biggest software supply chain attack in history. Specifically, an attack that exploited a vulnerable open source component at Equifax and stole the personal information of over 145 million people. And yet, the world still isn’t talking enough about the importance of software supply chain hygiene.
Maybe, Bloomberg should re-write it’s story.
What You Need to Know About the Real “Big Hack”
Software supply chain attacks and exploit efforts aimed at open source projects are happening in the wild at an alarming rate. (Read more…)