Chinese Super Micro 'spy chip' story gets even more strange as everyone doubles down

The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the US government is still being fiercely argued over five days after publication.

On Tuesday, the media outlet behind the claims, Bloomberg, responded to growing criticism of its report by publishing a new, related story about how a "major US telecommunications company" discovered a similar hardware hack in components from the computer manufacturer at the center of the story, Super Micro.

That latest piece comes after one of the experts in the original story gave an interview in which he expressed his concern about the finished piece and questioned whether Bloomberg had done sufficient fact checking before publishing.

The new article also comes in the wake of a second, even stronger denial of the key elements of the story by Apple – sent to US Congress committees – as well as statements from the intelligence wings of both the UK and US governments that push the idea that Bloomberg may have made a serious reporting mistake.

With clear and increasingly firm stances that stand in complete opposition to one another, security experts remain undecided as to whether the story is largely correct and China did insert spy chips into Super Micro motherboards; or whether the journalists behind the story wrongly extrapolated information and ended up publishing something incorrect.

Faced with such uncertainty, some are reaching for a unifying explanation: that Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign.

Another expert, another report

In its most recent story, Bloomberg claims to have seen "documents, analysis and other evidence" of Chinese interference: in this case "manipulated hardware" stemming from Super Micro that was discovered in the network of a large US telecoms company and pulled out in August.

The source of that report is named: Yossi Appleboum, CEO of security specialists Sepio Systems. Appleboum claims to have discovered "unusual communications" coming from a Super Micro server that was part of a data center audit ordered by the unnamed company.

Physical inspection of that board revealed "an implant built into the server's Ethernet connector," Appleboum says. Bloomberg knows the company affected but has chosen not to name it because of a non-disclosure agreement signed between Sepio Systems and the company in question.

While Bloomberg notes that the Ethernet implant "is different from the one described in the Bloomberg Businessweek report last week," it argues that it shares "key characteristics" including the fact that the alteration was made at a Super Micro factory and it was designed to be invisible while extracting data.

The conclusion that the impact was introduced at the factory in China was reached by Appleboum, he claims. But notably he goes on to state that "he was told by Western intelligence contacts that the device was made at a Super Micro subcontractor factory in Guangzhou, a port city in southeastern China."

Appleboum make a series of other interesting statements, including that the Sepio team had seen similar variations of the implant in other motherboards made in China, and that he had been informed by intelligence agents from other countries that they had been tracking the manipulation of Super Micro hardware for some time.

You know nothing, DHS

Bloomberg used the report to push back against a statement from the US Department of Homeland Security (DHS) in which it said it had "no reason to doubt" denials of its spy-chip original story. Bloomberg insists that there was an FBI investigation of the issue, but that it was run by the organization's "cyber and counterintelligence teams, and that DHS may not have been involved."

In other words, Bloomberg – seemingly surprised by the forceful denials of its story – is arguing that only a small group of people were aware of the investigations it wrote about and so claims of inaccuracy may come from people who simply do not know about them.

That is a plausible explanation. It is also possible that Apple and Amazon have walled-off security arms that do not communicate with the larger corporate body and it is they that discovered the spy chip and worked with intelligence agencies. Such a corporate disassociation would provide a buffer that enables executives to deny their activities or findings.

Just as likely however is that Bloomberg's reporters made mistakes in their reporting and the organization failed to adequately fact check the article. Or that they stumbled on an intelligence misinformation campaign and have been effectively reporting its effectiveness within certain groups of people.

The new story pointing to an Ethernet hack is clearly intended to act as support for the original story but since the details are so different and rather unspecific, and given that the entire report is single-sourced, it has had the opposite effect among security experts who have started to doubt the credibility of the original story.

In addition, online sleuths have started digging into the reporters themselves and identifying previous errors in their reporting of security issues.

On the possible failure of adequate fact checking, earlier this week one of the security experts that Bloomberg spoke to in order to explain how the claimed spy chip would actually work, Joe Fitzpatrick, gave an interview to Aussie veteran infosec journalist Patrick Gray in which Fitzpatrick said he had told the Bloomberg spy-chip reporters of his doubts that it was feasible and that he was "uncomfortable" with the final article.

Notably, however, he claims that no one other than the 'berg reporters spoke to him to fact check either what he told them, or the relevant details as they finally appeared in the report.

Sourcing

Fitzpatrick even implies that the report may have painted him as an anonymous source at a different point in the story: something that, if true, would raise questions over how well-sourced the story really is.

Fitzpatrick says a theoretical scenario that he described to one of the two reporters, Jordan Robertson, was the exact same scenario that one of the story's anonymous sources said had actually happened.

"It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100 percent of what I described was confirmed by sources," he told the podcast Risky Business.

Fitzpatrick then engages in some speculation about why the Chinese government would actually use the specific method that the story covered. "There are so many easier hardware ways, there are software, there are firmware approaches. The approach you are describing is not scalable. It's not logical. It's not how I would do it. Or how anyone I know would do it," he said.

That expert opinion is however contradicted by other security experts who have noted that such an attack is theoretically possible, albeit very difficult to pull off.

All of which is to say: after five days of fierce scrutiny, no one is any the wiser as to whether the story is true or not. We will have to see what this week brings. ®