image

Espionage

Bloomberg’s report of China hacking comes in for a new round of scepticism

  • A month after ‘The Big Hack’ was published, questions are raised about the extent of its investigation, with some key allegations attributed to single anonymous sources
PUBLISHED : Wednesday, 07 November, 2018, 6:50am
UPDATED : Wednesday, 07 November, 2018, 3:54pm

Last month, a Bloomberg investigative report contending that Chinese chips had hacked into US corporations and federal agencies using devices equipped with malicious hardware not only stirred up debate but met with adamant denials from three companies singled out in the story, Apple, Amazon and Super Micro.

The Bloomberg BusinessWeek cover story “The Big Hack” detailed how Chinese factories inserted a tiny chip onto computer motherboards and sold them to dozens of US companies, in an aggressive espionage campaign to steal trade and other secrets from the US. Super Micro, which makes the motherboards in question, sells the equipment to Apple and Amazon, which in turn use them in their products.

Apple, Amazon deny report China used tiny chips to hack into their networks

On the day of the publication, the US companies issued statements to deny the allegations. In its defence of its report, Bloomberg BusinessWeek said the article was the result of more than 100 interviews. Additionally, it cited as many as 17 anonymous sources.

But a new wave of resistance from companies and people mentioned in the story questions the scope of its sourcing and notes that a number of key allegations only relied on a single anonymous source.

When describing the campaign, “The Big Hack” recounted that “in one case, the malicious chips were thin enough that they’d been embedded between the layers of fibreglass onto which the other components were attached, according to one person who saw pictures of the chips”.

Super Micro tells US lawmakers it found no Chinese spy chips, denying Bloomberg report

Another passage stated that “government investigators were still chasing clues on their own when Amazon made its discovery and gave them access to sabotaged hardware, according to one US official”.

Another focus of scrutiny from naysayers: the vagueness in describing “insiders” at the companies. The report never defines the term, nor does it say these sources are “directly from” or “employees” of the companies, according to a person at one of the complaining companies who asked not to be named because of the sensitive nature of the issue.

A Bloomberg spokesperson did not comment on the issue of the report’s sourcing on Tuesday.

The US companies mentioned in the story have been pushing back through various channels in the days that followed publication of “The Big Hack”. Apple sent a letter to the senators who chair the Committee on Commerce, Science and Transportation and the Committee on Energy and Commerce, denying any evidence of malicious chips.

On October 19, during an interview with Buzzfeed, Tim Cook demanded that Bloomberg retract its story, a first for the Apple CEO. In the same week, Amazon Web Services CEO Andy Jassy and Super Micro CEO Charles Liang joined Apple in demanding a retraction.

Amazon and Super Micro back Tim Cook, call for Bloomberg to withdraw story

Meanwhile, government officials have expressed support for the companies. The US Department of Homeland Security issued a statement that “we have no reason to doubt the statements from the companies”. In a hearing before the Senate Committee on Homeland Security and Governmental Affairs, Chris Wray, the director of the FBI, and Kirstjen Nielsen, the secretary of homeland security, both suggested there was no proof Chinese espionage had compromised American technology.

“Bloomberg's ‘Big Hack’ story is the single biggest cock-up in infosec [information security] reporting that I know of,” said Thomas Rid, a professor of strategic studies at Johns Hopkins University’s School of Advanced International Studies. “Yes, a supply-chain hack is possible in theory. That is not the point. The point is that there is no evidence so far for an alleged operation.”

All you need to know about Super Micro

Casting more doubt into the article’s sourcing, Joe Fitzpatrick – a named interviewee in the Bloomberg report – said in an interview with Risky Business, a podcast on security issues, that the story “does not make any sense”.

“What really struck me is that like all the details that were even remotely technical seemed like they had been lifted from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at Black Hat two years ago worked,” said Fitzpatrick, referring to the annual information security industry event.

Dennis Wilder, a former China and East Asian specialist for the National Security Council, said that among the intelligence community, “there’s a lot of suspicion of this argument on the technical side.

“Maybe they just did not understand the technical things they received,” he added.

Despite the escalated resistance, Bloomberg has not retracted the story. Indeed, the media company has stuck with the statement it issued shortly after its publication.

Bloomberg Businessweek's investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” a spokesperson for Bloomberg wrote.

“Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies' full statements, as well as a statement from China's Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”

Additional reporting by Jun Mai.