American national security officials believe that spies working on behalf of an adversarial nation-state successfully carried out an attack against US companies by compromising a key hardware supply chain, according to a report issued October 4 by Bloomberg Businessweek. The report details how the attackers implemented a “seeding” attack by installing tiny, malicious microchips on motherboards—a type of computer circuit board that houses processing and other essential components—that were assembled in Chinese factories. The exploit apparently had a ripple effect, as the compromised motherboards were ultimately installed in commercial servers that are widely distributed in the United States. One official estimates that the attack affected almost 30 companies, including a major bank and government contractors, and may have enabled the attackers to communicate with or infiltrate the sabotaged servers.
Regardless of whether the hardware attack was successful—and some of the allegedly targeted companies vociferously deny the government’s claims that it was—the report highlights the serious cybersecurity risks surrounding technology supply chains. Although software-based hacks such as spear phishing and zero-day attacks are in the news far more often, hardware exploits can have the ability to do much more long-term damage. What is more, these “seeding” attacks that target hardware supply chains are more difficult to detect than attempts to sabotage hardware that is already operational, and present unique challenges to investigators attempting to trace the source of the attack, given the myriad vendors and contractors in complex technology supply chains.
Recognizing this risk in light of the continuing attacks on industrial control system operators, the Federal Energy Regulatory Commission earlier this year proposed to adopt the North American Electric Reliability Corporation’s new and modified Critical Infrastructure Protection reliability standards focused on supply chain risk management. As we reported previously, if approved, the changes will require electric utilities to develop a plan to mitigate supply chain cybersecurity risks posed by vendor products and services, particularly during the procurement process.