In this week’s episode (#115), noted hardware enthusiast and hacker Joe Grand (aka “Kingpin”) told reporters from Bloomberg that finding an in-the-wild supply chain hack implanting malicious hardware on motherboards was akin to witnessing “a unicorn jumping over a rainbow.” They went with their story about just such an attack anyway. Joe joins us in the Security Ledger studios to talk about whether Bloomberg got it right. Also, Adam Meyers of Crowdstrike comes into the studio to talk about the U.S. Department of Justice indictment of seven Russian nationals. Adam talks about the hacks behind the charges and what comes next.
News Flash: Unicorn Jumps Over Rainbow
Joe Grand(@joegrand) is one of the most noted experts on the security of computer hardware. His work dates back to the mid 1990s, when Grand (aka “Kingpin”) was a member of the Boston-based hacking collective L0pht Heavy Industries.
That reputation is probably why Grand was among the experts that two reporters from Bloomberg: Jordan Robinson and Michael Riley reached out to him almost two years ago as they chased down a blockbuster story about a sophisticated campaign by China’s military to place compromised hardware directly on motherboards made by the U.S. firm Super Micro, a supplier to the U.S. military and intelligence sector, not to mention the likes of Amazon and Apple.
Grand described for them the advantages of planting malicious hardware directly on motherboards – the difficulty in detecting them, the near-permanent access they afford to attackers skilled enough to place one. But such attacks were beyond rare – more in the realm of mythical. Absent any knowledge of what the reporters had uncovered and stretching for a way to explain how rare and elusive they were, Grand told the reporters that “having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow.”
Fast forward more than 18 months, and the work of those two reporters, including Grand’s “unicorn” quote finally hit the news stands, dominating conversation in both the technology – and mainstream media for much of last week. It has also generated lots of controversy and open questions about whether Robinson and Riley got it right.
In the days since the story ran, both Apple and Amazon – not to mention Super Micro – have issued categorical denials of the facts presented by Bloomberg. Both Apple and Amazon describe multiple internal investigations that failed to turn up evidence of a compromise and subsequent conversations with incredulous Bloomberg reporters to refute the allegations.
Where does that leave us? To answer that question, we invited Joe into the Security Ledger studios. He is the founder of Grand Idea Studio, a San Francisco-based research and development firm and a noted expert on hardware-based vulnerabilities. In this interview, Grand says he counts himself as a skeptic on the substance of the Bloomberg report. While hardware implants – done well – may be impossible to spot in a physical inspection of compromised devices, that doesn’t mean they stay hidden.
“Even if the hardware is there and there’s some kind of manipulation on the system, at some point if you have this command and control happening, the device is opened to the Internet,” Grand told me. “If there’s some kind of network traffic coming from these devices, then why is nobody seeing this?”
Check out our full conversation in this week’s podcast!
Seven Guys Named Alexey
Last week, the US Department of Justice joined its counterparts in the UK and Netherlands: issuing indictments for seven Russian nationals that it alleged were responsible for a wide ranging campaign of hacking, data theft and disinformation. The men were all reported to be officers in Russia’s GRU intelligence service. Their targets: a laundry list of organizations that had run afoul of the Kremlin in recent years. They included the World Anti Doping Agency, which levied bans and punishment on Russian athletes following revelations of a massive, state sponsored doping campaign, and the Organization for the Prohibition of Chemical Weapons (OPCW), which conducted tests of nerve agents used in the poisoning of a former Russian spy Sergei Skripal and his daughter in Salisbury, England in March. Also targeted: Westinghouse Electric, a major US industrial firm that counts the government of Ukraine as a customer.
What else do the indictments reveal about Russia’s cyber offensive capabilities? And will naming and shaming Russian intelligence officers have any impact on the activities of the GRU, FSB and other state sponsored actors? To find out we invited Adam Meyers, the Vice President of Intelligence at the firm CrowdStrike back into the studio. Adam says CrowdStrike has been observing the actions against WADA and OPCW for years. Key to those campaigns was gathering intelligence that could be used to fuel online disinformation campaigns – what Meyers called “fake-tivism” – targeting the groups.
But the indictments still revealed details of the operations that surprised him. That includes details of the GRU’s willingness to do “up close” attacks on hotel wifi and other assets used by its targets.That shows a level of commitment that Meyers said he hasn’t seen before. “To see Russia sending intelligence officers to a target country under cover? That’s definitely a step up from what we’ve seen in the past,” he said.
Also of interest – but only briefly mentioned in the indictment – is the GRU’s campaign against Westinghouse Electric. Meyers said that, while the objective of the WADA and OPCW attacks were likely intended to obtain embarrassing information on those organizations, Westinghouse was likely targeted to gain information on what business the company was doing with Ukraine.
Check out my interview with Adam in part II of our podcast.