Supply chain hacking: bull in a China shop?

My colleague at ESET, Cameron Camp, today published the second of a series of articles commenting on this year’s Virus Bulletin: Virus Bulletin 2018: Supply chain hacking grows up

It’s an interesting article that makes some good points. But what particularly interested me was that it came hard on the heels of Bloomberg’s report The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies claiming that
“The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources.”

Could this be true?  Well, Amazon and Apple have strongly denied it, as has Super Micro Computer Inc, whose supply chain is alleged to have been infiltrated. So who knows? Probably none of the sources that have commented on the topic subsequently, but here are a few of them anyway:

• I’m not the biggest fan ever of SANS, but there are some useful comments and links in the Newsbites newsletter Volume 20, No. 79. It hasn’t been put up on their web site yet (it only just appeared in my mailbox) but no doubt it will soon appear here.
• The Register: Chinese tech titans’ share prices slump after THAT Super Micro story – “Lenovo slides by a fifth, ZTE sinks too on back of server allegations”
• Graham Cluley: China accused of sabotaging thousands of servers at major US companies with tiny microchips hidden on motherboards
• Also from The Register (an earlier story): Decoding the Chinese Super Micro super spy-chip super-scandal: What do we know – and who is telling the truth?
• John Gruber at Daring Fireball has posted much useful commentary with links to other resources: see Bloomberg’s ‘The Big Hack’ and What Businessweek got wrong about Apple

It will certainly be interesting to see how this story develops.

David Harley