On October 4, 2018, Bloomberg Business published an article that shook the foundations of cybersecurity – “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies: The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources."
This article is Part 2 of a series that focuses on China’s cyber-espionage efforts. In Part 1 of this series we looked at Russian espionage efforts going back to 1945. In looking at China’s efforts, we will examine more recent examples and end with the issue highlighted in the Bloomberg article.
2003 Operation “Titan Rain”
First reported in 2005, Titan Rain was the designation given by the U.S. government to describe a series of coordinated attacks on American computer systems since at least 2003. This was the first instance of state-sponsored espionage from China that was made public. The Titan Rain attacks were labeled as Chinese in origin and were believed to be associated with Advanced Persistent Threat (APT) attacks targeting U.S. defense contractor computer networks - Lockheed Martin, Sandia National Laboratories, Redstone Arsenal, and NASA. And a number of agencies within the U.S. were compromised, including unclassified networks of the U.S. Departments of State, Homeland Security, and Energy. “They stole intellectual property, including Google’s source code and designs for weapons systems. They took government secrets, including user names and passwords. And they compromised data associated with Chinese human rights activists, including their email messages. Typically, the intrusions started with spear-phishing.”
2007 Pentagon Email Hack
Then Secretary of Defense Robert Gates confirmed that an incursion by hackers was responsible for a Pentagon e-mail outage that disrupted e-mail service for over 1,500 Pentagon workers. “According to Gates, portions of the Pentagon e-mail system were disabled in response to hacking activity.”
“Elements of the OSD unclassified e-mail system were taken offline yesterday afternoon, due to a detected penetration," said Gates, according to a transcript of the event published by the Defense Department. “We obviously have redundant systems in place, and there is no anticipated adverse impact on ongoing operations. There will be some administrative disruptions and personal inconveniences.” Estimated cost of recovery from the hack was $100 Million.
2010 Internet Protocol (IP) Addressing Hijack
One of the more “creative” hacks that the Chinese perpetrated occurred in 2010 when “state-owned China Telecom advertised erroneous network routes that instructed “massive volumes” of U.S. and other foreign Internet traffic to go through Chinese servers during an 18-minute stretch.”
In this short period of time, approximately 15% of Internet traffic was captured coming “from US government (‘‘.gov’’) and military (‘‘.mil’’) sites, including those for the Senate, the army, the navy, the marine corps, the air force, the office of secretary of Defense, the National Aeronautics and Space Administration, the Department of Commerce, the National Oceanic and Atmospheric Administration, and many others. Certain commercial websites were also affected, such as those for Dell, Yahoo!, Microsoft, and IBM.”
2014 Five Chinese Individuals Indicted for Hacking Pittsburgh Companies
Being a native Pittsburgher and former employee of one of the compromised companies, I closely followed this case. The indictment filed in U.S. District Court charged five Chinese army officials, members of Unit 61398 of the People's Liberation Army, for computer crimes.
The indictment identified that the targets of the hacks were industry-giants, U.S. Steel, Westinghouse Electric Corporation, Alcoa, Allegheny Technologies, and the United Steelworkers International Union.
Around this time, I was CISO for a company that was engaged in securing contractual bids for potential multi-million contracts. Among the bidders was a Chinese company. We closely consulted with the FBI and set up a rigorous protocol to engage with them, including, but not limited to, pre-scanning all email and attachments for the presence of malware prior to delivery to procurement professionals, sweeping meeting rooms and proximate office areas for “bugs” prior to and after their on-site visits, and disabling network jacks and wireless access points in meeting rooms.
Our negotiations proceeded without a hitch.
2015 U.S. Office of Personnel Management (OPM) Hack
Probably the most egregious and damaging compromise perpetrated by the Chinese was the breach of OPM repository databases containing security clearance files.
Over my thirty-year cyber security career, I personally held security clearances and was notified by OPM officials of the breach along with over 20 million others. Security clearance records include extremely sensitive data such as Social Security numbers, finger prints, and “extensive information about friends, relatives and others listed as references in applications for security clearances for some of the most sensitive jobs in government.”
Those of us who currently have or have had security clearances know the rigors of completing the highly sensitive 127-page Standard Forms (SF) 86 - Questionnaire for National Security Positions. SF-86 forms contain information such as about family members, college roommates, foreign contacts, and psychological information.
The compromise was carried out using Advanced Persistent Threat (APT) methods and a previous hack that exfiltrated OPM network mapping data. OPM network security engineer, Brendan Saulsbury, noticed a “beacon-like signal pinging to a site called opmsecurity.org.” The opm-security.org domain name, obviously a fraud, had been registered a year earlier, indicating that the Chinese were in OPM networks for over a year. Although Katherine Archuleta, director of OPM, initially indicated that she would not resign in the aftermath of the breach, both she and Chief Information Officer Donna Seymour subsequently resigned.
2018 Chinese Compromise of Server Motherboards
In 2015, Amazon Web Services (AWS) was interested in acquiring a company, Elemental Technologies, a developer of software capable of compressing massive video files and formatting them in a variety of formats. Elemental’s “technology had helped stream the Olympic Games online, communicated with the International Space Station, and funneled drone footage to the Central Intelligence Agency. Elemental’s national security contracts weren’t the main reason for the proposed acquisition, but they fit nicely with Amazon’s government businesses, such as the highly secure cloud that Amazon Web Services (AWS) was building for the CIA.” To process software compression, the Elemental system was run on expensive servers provided by Super Micro Computer, Inc. (aka. Supermicro).
Besides use with Elemental software, San Jose-based Supermicro is one of the largest suppliers of server motherboards.
As part of AWS’ acquisition due diligence, they had Elemental Technologies send several servers to a third-party for security evaluation. The security evaluation uncovered the presence of a tiny rice-grain-sized microchip that was not part of the motherboard’s original design and is purported to provide a back door into servers. Since Elemental servers were installed in “Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships,” a top-secret investigation ensued that remains open to this day. “One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc.”
Amazon, Apple, Supermicro and the Chinese Government have vigorously denied the allegations of the compromise. However, the Apple investigation was verified by “three Apple insiders and four U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks.
In summary, Chinese state-sponsored operatives have long term objectives to dominate the world on military, economic and technological perspectives. They have a rich history of pilfering intellectual property by any means necessary. It is not a stretch to believe a company like Supermicro with the majority of its San Jose-based workforce being Taiwanese or Chinese and Mandarin is the preferred language used in the workplace could pull off a supply chain compromise of this magnitude.
As I was writing this article, on November 1, 2018, U.S. Attorney General, Jeff Sessions, announced a new initiative to combat Chinese theft of intellectual property, including a review of foreign investments in U.S. telecommunications. Sessions further indicated that the Department of Justice would recommend legislation, if necessary, to combat state-sponsored espionage and theft.
The “China Initiative”, to be led by Assistant Attorney General John Demers, will "identify priority Chinese trade theft cases, ensure that we have enough resources dedicated to them, and make sure that we bring them to an appropriate conclusion quickly and effectively.”
Additionally, Sessions announced an “indictment has been returned by a San Francisco Grand Jury in a civil suit filed by the Department of Justice to prevent Chinese and Taiwanese companies from transferring technology it says was stolen from Micron, a San Francisco-based semiconductor maker worth $100 billion and in control of almost a quarter of the RAM (random access memory) market, which is central to computing.” And on Tuesday, October 30, 2018, Federal prosecutors “unsealed charges that accused two Chinese government intelligence officers and eight alleged co-conspirators of conducting sustained computer intrusions into 13 companies in an attempt to steal designs for a turbofan engine used in commercial jetliners.”
This story is far from over and we can expect continuing cyber-related espionage and attacks from our adversaries to continue for the foreseeable future and beyond.
Incident response has always been - and will continue to be - a priority of the utmost importance. To learn how CISOBox can help, get in touch today.
Share This Article