“Novichok spymaster” dies

GRU director Igor Korobov

GRU director Igor Korobov

The twisty Skripal affair takes another turn as the head of Russia’s GRU, who is viewed as the mastermind of the poisoning, is reported dead:

One of Russia’s highest ranking spies and the powerful head of military intelligence has died “after a long and serious illness,” a Defense Ministry spokesperson told the news agency RIA Novosti. Gen. Col. Igor Korobov, the 63-year old head of Russia’s Military Intelligence Directorate (GRU), was reported dead early Thursday morning; currently there’s no reports of foul play though officials did not reveal specific details or the circumstances of his death.

Crucially Korobov had been dubbed by the West the “Novichok spymaster” — as the Russian GRU chief ultimately blamed for the Salisbury attack as well as the downing of MH17 over Ukraine in 2014, which the Kremlin in turn had blamed on pro-Kiev national forces.

Korobov had for two years been under US sanctions, added by US Treasury in December 2016 related to allegations of Russian hacking and “efforts to undermine democracy”. Ironically, however, he was seen at times as a cooperative ally in Washington’s “war on terror” efforts since 9/11. […]

What’s the real story here? As usual… who knows? But here’s a possible clue:

Korobov had been ill since early October, when reports revealed he was severely reprimanded by President Putin himself over mishandling accusations surrounding the alleged Salisbury poison attack the West pinned on Russian intelligence.

The Daily Mail reports:

President Vladimir Putin personally gave a dressing down to the head of Russian spy agency GRU over ‘deep incompetence’ shown in the Salisbury poisonings and other international operations.

GRU chief Col-Gen Igor Korobov, 62, reportedly emerged shaken and in sudden ‘ill health’ after his confrontation with the furious Russian president.

As for the “deep incompetence”: the once-fearsome GRU is apparently not sending its best.

Is Bloomberg peddling fake news about Chinese hardware hacking?

Infosec hardware implants

The state of infosec right now (Credit: Colin O’Flynn)

The jury is still out, but this isn’t looking great for Bloomberg:

The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the US government is still being fiercely argued over five days after publication. […]

Faced with such uncertainty, some are reaching for a unifying explanation: that Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign. […]

On the possible failure of adequate fact checking, earlier this week one of the security experts that Bloomberg spoke to in order to explain how the claimed spy chip would actually work, Joe Fitzpatrick, gave an interview to Aussie veteran infosec journalist Patrick Gray in which Fitzpatrick said he had told the Bloomberg spy-chip reporters of his doubts that it was feasible and that he was “uncomfortable” with the final article.

An NSA official is also pushing back:

Rob Joyce, Senior Advisor for Cybersecurity Strategy at the NSA, is the latest official to question the accuracy of Bloomberg Businessweek’s bombshell “The Big Hack” report about Chinese spies compromising the U.S. tech supply chain.

“I have pretty good understanding about what we’re worried about and what we’re working on from my position. I don’t see it,” said Joyce, speaking at a U.S. Chamber of Commerce cyber summit in Washington, D.C. today, according to a subscriber-only Politico report viewed by MacRumors.

“I’ve got all sorts of commercial industry freaking out and just losing their minds about this concern, and nobody’s found anything,” Joyce added.

Twitter user Hector Martin (@marcan42) had a fierce response to Bloomberg’s second story on the alleged Chinese hardware hacking:

Ah, I see, Bloomberg. So instead of a (partial) retraction of your at least half if not fully bullshit China implant story, you’re going to now publish *one guy’s* claim of Ethernet jack implants. When you had <5 days to check anything he provided.

Remember when a certain other security researcher was convinced his Ethernet jacks had implants? Remember all this “evidence”? How *we* knew it was BS? Now consider whether Bloomberg’s technically clueless journalists would know it’s BS.

Seriously, this is just pathetic now. They just went from “1 year and multiple sources” to “<5 days and one guy”. This is just negligence.

https://t.co/eReEXegOHZ

Why is it that every time something like this happens nobody has any hard documentation or analysis results? Ah yes, the best cop-out. “We don’t have it any more, we can’t give you more details”.

So now we have *software* detecting *analog* stuff like the “power consumption” of a *network*.

None of those words go together. At all.

Basically every Ethernet jack I’ve seen in anything but cheapo consumer routers/switches has been metal. How the hell is this an IOC?

Nevermind that… Ethernet jacks don’t have power pins. Where is this module (that uses so much power that it gets hot) magically powering itself from? Nobody runs PoE out to servers. Did they modify the board design to add power pins too?

Commenting on the above thread, Joe Fitzpatrick had this to say:

I was contacted and declined to give comment for this story. I explained this wasn’t the first time this year someone was making this claim.

@marcan42 has experience debunking claims of ‘backdoored’ ethernet jacks. Details in this story are almost identical to last time.

Sepio systems also shared a document with me yesterday. It had juicy details about rogue hardware.

It was a marketing 1-pager.

Whatever the truth of the  matter, Yossi Appleboum, the ex-Israeli intelligence guy cited in Bloomberg’s follow-up story, gets the last word:

We found it in different vendors, not just Supermicro. We found it not just in servers, in different variations, but hardware manipulation on different interfaces, mostly in network related. We found it in different devices connected to the network, even Ethernet switches. I am talking about really big what are considered to be major American brands, many compromised through the same method.

This is why I think that Supermicro has nothing to do with that. In many cases, by the way, it is not through manufacturing, it is after through the supply chain.

People think of the supply chain in a very narrow sense between the manufacturer and the customer. Supply chain never ends. There are technicians, there are integrators, there are people that work in your facilities. We have seen after installation, after the fact attacks where someone switched something already installed. This is why Supermicro would have no idea what happens later in the supply chain. […]

We have a problem. The problem is the hardware supply chain. All of us are dealing with what happened to Supermicro, and whether Amazon knew or did not know. That is not the main issue for me. The main issue is that we have a problem. It is global. This is why I think Supermicro is suffering from the big players. I am talking about the really big players who know that they have the same problem, and they are kind of using the story right now to throw Supermicro under the bus instead of coming out and saying that it is a global problem, let’s fix it and find a solution.

More evidence of massive Chinese hardware hack

Bloomberg has a new story out about China’s alleged tampering with the global hardware supply chain, revealing that an unnamed, major US telecom company discovered a malicious implant in a Supermicro server back in August. The source of the story seems credible (Bloomberg’s previous story on the Supermicro hacking did not name sources.)

If true, the scale of the potential damage from this hardware hacking is almost incomprehensible.

In the wake of Bloomberg’s reporting on the attack against Supermicro products, security experts say that teams around the world, from large banks and cloud computing providers to small research labs and startups, are analyzing their servers and other hardware for modifications, a stark change from normal practices. Their findings won’t necessarily be made public, since hardware manipulation is typically designed to access government and corporate secrets, rather than consumer data.

National security experts say a key problem is that, in a cybersecurity industry approaching $100 billion in revenue annually, very little of that has been spent on inspecting hardware for tampering. That’s allowed intelligence agencies around the world to work relatively unimpeded, with China holding a key advantage.

Brian Krebs has an insightful post about the issue on his security blog. Of particular interest:

The U.S. Government isn’t eager to admit it, but there has long been an unofficial inventory of tech components and vendors that are forbidden to buy from if you’re in charge of procuring products or services on behalf of the U.S. Government. Call it the “brown list, “black list,” “entity list” or what have you, but it’s basically an indelible index of companies that are on the permanent Shit List of Uncle Sam for having been caught pulling some kind of supply chain shenanigans.

More than a decade ago when I was a reporter with The Washington Post, I heard from an extremely well-placed source that one Chinese tech company had made it onto Uncle Sam’s entity list because they sold a custom hardware component for many Internet-enabled printers that secretly made a copy of every document or image sent to the printer and forwarded that to a server allegedly controlled by hackers aligned with the Chinese government.

And he identifies the crux of the issue:

Like it or not, the vast majority of electronics are made in China, and this is unlikely to change anytime soon. The central issue is that we don’t have any other choice right now. The reason is that by nearly all accounts it would be punishingly expensive to replicate that manufacturing process here in the United States. […]

Indeed, noted security expert Bruce Schneier calls supply-chain security “an insurmountably hard problem.”

The original Bloomberg piece, as he points out, also addresses what he calls “this elephant in the room.” Quote from that piece:

The problem under discussion wasn’t just technological. It spoke to decisions made decades ago to send advanced production work to Southeast Asia. In the intervening years, low-cost Chinese manufacturing had come to underpin the business models of many of America’s largest technology companies. Early on, Apple, for instance, made many of its most sophisticated electronics domestically. Then in 1992, it closed a state-of-the-art plant for motherboard and computer assembly in Fremont, Calif., and sent much of that work overseas.

Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories.

As time goes on, the evidence mounts that offshoring advanced manufacturing to low-cost countries in Asia was an epochal blunder by the US. Now the US is abjectly dependent on a hardware supply chain that may be deeply compromised and there is no obvious way to fix or even detect its vulnerabilities. However, to call this “an insurmountably hard problem” is an exaggeration; it is merely staggeringly hard.

The solution would almost certainly have to involve moving a large amount of high-tech production back to the US. This would be terrifyingly expensive, but the US may not have a choice, and the economic benefits of creating all those new jobs and factories could be enormous.

Anything that has been offshored can be reshored. Anything that was invented in the US can be made in the US. If I’m wrong, please explain how.

Spy fail

Burn After Reading GRU

Suspected GRU operative

The GRU, what happened to you?

It must go down as one of the most embarrassing months ever for Russia’s military intelligence.

In the 30 days since Theresa May revealed the cover identities of the Salisbury poison suspects, the secretive GRU (now GU) has been publicly exposed by rival intelligence agencies and online sleuths, with an assist from Russia’s own president.

Despite attempts to stonewall public inquiry, the GRU’s dissection has been clinical. The agency has always had a reputation for daring, bolstered by its affiliation with special forces commando units and agents who have seen live combat.

But in dispatching agents to the Netherlands who could, just using Google, be easily exposed as graduates of an elite GRU academy, the agency appears reckless and absurdly sloppy.

In response to the surreal interview with the Skripal poisoning suspects, I wrote: “I thought Russian intelligence operatives were supposed to be smart? What is going on here?” It gets worse:

[…] And then came Thursday’s bombshell: four men outed by Dutch investigators for attempting to hack into the Organisation for the Prohibition of Chemical Weapons (as well as Malaysia’s investigation into a downed jetliner).

The alleged spies were caught carrying enough telephones to fill an electronics store. Moreover, like all meticulous Russians on a business trip, they held on to their taxi receipts from GRU headquarters.

At a glance, it’s hard to square such ridiculous incompetence with the idea that Putin and his operatives are crafty enough to destroy Western democracy. In any case, the GRU’s epic fails do seem to indicate the declining value of human intelligence in the age of the internet.

US hardware supply chain compromised by Chinese spies

Supermicro

Holy moly, this is huge. A unit of the People’s Liberation Army secretly inserted tiny, malicious microchips into motherboards that were manufactured in Chinese factories for the US-based company Supermicro. These motherboards were used in expensive servers supplied to Amazon, Apple, the Department of Defense, the CIA, and the US Navy, among others. From a Bloomberg Businessweek investigation:

During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.

This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.

This is really bad.* Say goodbye to US reliance on Chinese components. It will take time to reorient the global supply chain, but the effort is already underway. This scandal, which has been known (of course) to the Obama and Trump administrations, will only strengthen the case for manufacturing sensitive technologies in the US.

[…] Over the decades, the security of the supply chain became an article of faith despite repeated warnings by Western officials. A belief formed that China was unlikely to jeopardize its position as workshop to the world by letting its spies meddle in its factories. That left the decision about where to build commercial systems resting largely on where capacity was greatest and cheapest. “You end up with a classic Satan’s bargain,” one former U.S. official says. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

In the meantime, Mike Pence accuses China of a host of sins including interfering in the US democratic process:

Vice President Mike Pence escalated Washington’s pressure campaign against Beijing on Thursday by accusing China of “malign” efforts to undermine President Donald Trump ahead of next month’s congressional elections and reckless military actions in the South China Sea.

In what was billed as a major policy address, Pence sought to build on Trump’s speech at the United Nations last week in which he alleged that China was trying to interfere in the pivotal Nov. 6 midterm elections. Neither Trump nor Pence provided hard evidence of Chinese meddling.

That’s not quite right, as Pence mentions, for example, the widely noted Chinese advertising supplement in Iowa. From the transcript:

And China is also directly appealing to the American voters. Last week, the Chinese government paid to have a multipage supplement inserted into the Des Moines Register –- the paper of record of the home state of our Ambassador to China, and a pivotal state in 2018 and 2020. The supplement, designed to look like the news articles, cast our trade policies as reckless and harmful to Iowans.

I pointed out this bit of propaganda on September 23, referencing a tweet by Bloomberg’s Jennifer Jacobs. Trump then tweeted about on September 26. Read my blog to see the future!

Pence also calls on Google to “immediately end development of the ‘Dragonfly’ app that will strengthen Communist Party censorship and compromise the privacy of Chinese customers.” More about Dragonfly here.

===

*Only fair to link to Supermicro’s response to the Bloomberg piece:

SAN JOSE, Calif., October 4, 2018 — Super Micro Computer, Inc. (SMCI), a global leader in enterprise computing, storage, networking solutions and green computing technology, strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems.

In an article today, it is alleged that Supermicro motherboards sold to certain customers contained malicious chips on its motherboards in 2015. Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found.

Each company mentioned in the article (Supermicro, Apple, Amazon and Elemental) has issued strong statements denying the claims […]

CIA debacle in China

From Foreign Policy, we learn how China managed to roll up the CIA’s entire network of informants across the country in 2010-12, executing about 30 people in total:

It was considered one of the CIA’s worst failures in decades: Over a two-year period starting in late 2010, Chinese authorities systematically dismantled the agency’s network of agents across the country, executing dozens of suspected U.S. spies. But since then, a question has loomed over the entire debacle.

Now, nearly eight years later, it appears that the agency botched the communication system it used to interact with its sources, according to five current and former intelligence officials. The CIA had imported the system from its Middle East operations, where the online environment was considerably less hazardous, and apparently underestimated China’s ability to penetrate it. […]

The former officials also said the real number of CIA assets and those in their orbit executed by China during the two-year period was around 30, though some sources spoke of higher figures. The New York Times, which first reported the story last year, put the number at “more than a dozen.” All the CIA assets detained by Chinese intelligence around this time were eventually killed, the former officials said. […]

Some staggering technical incompetence on the part of the CIA appears to have been involved:

Although they used some of the same coding, the interim system and the main covert communication platform used in China at this time were supposed to be clearly separated. In theory, if the interim system were discovered or turned over to Chinese intelligence, people using the main system would still be protected—and there would be no way to trace the communication back to the CIA. But the CIA’s interim system contained a technical error: It connected back architecturally to the CIA’s main covert communications platform. When the compromise was suspected, the FBI and NSA both ran “penetration tests” to determine the security of the interim system. They found that cyber experts with access to the interim system could also access the broader covert communications system the agency was using to interact with its vetted sources, according to the former officials.

In the words of one of the former officials, the CIA had “fucked up the firewall” between the two systems.

And a tweet from the author, Zach Dorfman:

This didn’t make it into the piece, but here’s how the Chinese treated people working with the CIA: According to one source, one asset working at a state tech institutes, and his pregnant wife, were executed live on closed circuit TV in front of the staff.

What a disaster. HUMINT is a dangerous game, even more so when sloppy tradecraft is being used. Also, I question the value of this type of high-risk skullduggery. Chinese intentions with regard to the US are not hard to discern, and access to all the secrets in the world is useless if a country is not willing to defend its national interests.

China targets the Bay Area

Is Silicon Valley the soft underbelly of the US? “There’s a full-on epidemic of espionage on the West Coast right now,” according to this article in Politico.

Russia’s interference in the 2016 presidential election has given Putin’s regime an outsized role in the national conversation on espionage. But talk to former intel officials, and many will say that China poses an equal, if not greater, long-term threat. “The Chinese just have vast resources,” said Kathleen Puckett, who worked counterintelligence in the Bay Area from 1979 to 2007. “They have all the time in the world, and all the patience in the world. Which is what you need more than anything.” (China’s Embassy in Washington, did not respond to requests for comment.)

Because of California’s economic and political importance, as well as its large, well-established, and influential émigré and Chinese-American communities, the People’s Republic places great weight on its intelligence activities here, said multiple former intelligence officials. Indeed, two told me that California is the only U.S. state to which the Ministry of State Security—China’s main foreign intelligence agency—has had a dedicated unit, focused on political intelligence and influence operations. (China has had a similar unit for Washington.)

And if California is elevated among Chinese interests, San Francisco is like “nirvana” to the MSS, said one former official, because of the potential to target community leaders and local politicians who may later become mayors, governors or congressmen. Their efforts are becoming increasingly sophisticated.

There are some extraordinary revelations about alleged Chinese espionage and influence activities in San Francisco, including the suspected co-opting of local power broker Rose Pak by Chinese intelligence. The article also reveals that Chinese officials are believed to have bused in 6,000 to 8,000 J-Visa holding students from across California to disrupt anti-Beijing protests in San Francisco during the 2008 Olympic torch relay. There’s much more, so read the whole thing.