By Eyal Levinter
Following the Bloomberg investigation that revealed Chinese spy chips were embedded in computers and servers of Western companies, we interviewed Yossi Appleboum, veteran of Israeli 8200 unit (Israeli NSA) and international cyber expert, who told us about spy chips he held in his own hands.
‘The Big Hack: How China Used a Tiny Chip to Infiltrate US Companies’ was the headline of an investigative article published in October 2018 by Bloomberg News Agency, which triggered reactions throughout the world. The article claimed that the Chinese intelligence penetrated into Chinese production plants that manufactured motherboards for computers and servers, and embedded tiny spy chips in them. In this way, they succeeded in spying on more than 30 American companies like Apple, Amazon and US government contractors who had purchased servers and computers that contained the motherboards with those malicious chips.
Apple and Amazon denied the allegations that their systems contain malicious chips. Richard Clemmer, CEO of NXP chip sets company, said in November in a Wall Street Journal Technology Conference that it’s “not practical” to believe China is spying on companies by embedding chips in their technology. Renee James, Intel’s former president, said in the same conference: “You don’t just embed something [into a system].”
Unlike those claims, Yossi Appleboum, founder and CEO of Sepio Systems Cyber Company, held in his hand similar (not identical) spy chips that were found in different places around the world. He claims that it is possible to plant them in computers and secured systems. “We found similar attacks in several places. We found some kind of hardware implant in a mouse, in a keyboard and in a printer,” he said in an interview with The Epoch Times.
Appleboum is a veteran of Israeli 8200 unit, which is similar to the NSA. He founded WebSilicon in 1998, a company which specialises in monitoring and protecting physical aspects in networks, with Iftah Bratspiess and Bentsi Ben-Atar, two friends from the same army unit. At the end of 2002, WebSilicon was sold to Magal, the Israeli security giant that is listed on NASDAQ, and became its cyber branch. Appleboum consequently moved to Washington and in 2016 the three of them and an American partner founded Sepio.
“We brought in Tamir Pardo, former head of the ‘Mosad’ (until 2016), as the chairman. We built a powerful active advisory board which included Robert Bigman, who was the CIA Chief Information security officer for 15 years; Geoff Hancock, who was former chief information security of the USA Department of Defence (DOD); and Rami Efrati, one of the founders of the Israeli National Cyber Organisation”.
In which companies did you find those spy chips?
Without calling specific names, I would say that we found them in a bank, in a data centre and in a communication infrastructure that is considered very safe. The implant, which is actually an infected hardware, performed wide attacks on these organisations. It carried out ways for information leaks. This is the characteristic of many attacks that we track.
This is how the attacker is able to stay inside the organisation for almost an unlimited period of time, since there isn’t almost any defence against hardware attacks, and the present defence tools don’t identify the attacks. For example, when the attacker attacks using a printer with an embedded implant, it could alter the printed materials. If you send a financial report, incorrect manipulated data would be printed. In some cases, the damage could be irreversible.
“when the attacker attacks using a printer with an embedded implant, it could alter the printed materials.”
Is it possible to identify who performed the attack?
Sooner or later, when you monitor these attacks in different places around the world, you will be able to find out where it came from. You can understand the ‘fingerprint’ of the developer or the organisation. We also investigated the source of the attack, mainly in the Dark Net. We see conversations of attack bodies dealing with each other about attacking tools; sometimes we see bragging or even a market with proposals and negotiations: ‘I will give you so and so and as a result you will give me [an attack possibility].’
Today, most of the hardware is not planned with consideration of what could be done to it later. If I am the attacker and I have embedded an implant into your hardware during the manufacturing process, you may go backwards and conclude that it happened during the manufacturing process. You may identify the manufacturer’s address and start an effective investigation. But in case it is not clear that the implant occurred during the manufacturing process – and it can happen all through the life of the product, starting at the integration and installation and even later – the ability to go backwards and identify who performed the attack is much more difficult. It needs an intelligence investigation.
Nevertheless, China pops out immediately as the main suspect. It isn’t a secret that nowadays most of the computers are manufactured in China.
It is true. It is not only that most of the hardware is manufactured there; most of the hardware is also developed there.
The attackers sat downstairs.
(Applebaum tells me that he found attacking tools in IP Phones and inside communication switches.)
Let’s say that I am a spying organisation that wants to attack another company. I will go to a vendor that sells them the equipment and a moment before the equipment is sent to the company, or a moment later, I will embed some implant inside that will allow the equipment to leak the information. In most cases, hardware manufacturers leave hardware connectors open on the board, which enable access to either the processors or internet connections. This situation is like paradise to the attackers. I can easily connect to them – create a small board that looks entirely like the other boards in the legitimate hardware, and thus enter easily and effectively.
If you will open 30 thousand telephones of a well-known manufacturer, there is a small chance to find an implant. That’s because the attacking organisation isn’t stupid. But if you will open five phones in an organisation under attack, the chance to find a chip is high.
Is it possible that such an implant will transmit the information wirelessly to a Chinese crew that is located a few hundred metres away, or will the implant just open a back door for the attackers to connect to the company’s computers from afar through the internet?
Unlike attacking software, in which the attack occurs through the communication infrastructure of the organisation, in a hardware attack we usually find short or long term communications which don’t run through the regular organisation network. Mostly it is wireless and it may then transmit to a next door neighbour. Sometimes it is cellular and the attacker may be on the other side of the world. I ran into a critical infrastructure in an Asian country, where one of its offices was located in the same building in which the attackers sat as well.
The Bloomberg article talks about a small component, but in most cases it is a complex and not just a small component. In theory a small chip can transmit information as well, but mostly these are complexes that contain all kinds of wireless components.
Let’s talk about installing spyware measures in bigger infrastructure. In Israel, for example, the Chinese built the light rail in Tel Aviv a few metres from the infrastructure of the Kirya (a military complex that hosts the Israeli General Staff). The fear is that they will install some spyware measures that will enable them to listen to what is happening in this complex. Is it possible and realistic?
The biggest dream of any intelligence organisation is to get physical access to its target. The fact that they dig inside our country and their crew is present there is very disturbing. Is it possible to hide something that will allow them to create a cyber-attack while they dig? The answer is absolutely yes. As a matter of fact, things like this have happened already and there are stories about attacks on communication fibres all around the world. These things happened in the past and will happen in the future.
Another concern is the building of ports, like the new Haifa port and the new Ashdod port in Israel. In Haifa, the Chinese built very close to a naval base of the army. Is it worthwhile for them to take the risk and install something in the port infrastructure or even to spy on an army base that can be watched with satellites?
The question ‘is it worth the risk’ isn’t a wide question. You need to remember one thing – if such an attempt is discovered, it will be very difficult to prove the identity of the attacker. More than that, sometimes you find attacks but you don’t publicise them because you don’t want to reveal the attack’s technology. You can use this in order to manipulate the other side.
I think that intelligence agencies in Israel are definitely aware of the threat. The question is whether someone will listen to them.
Given the current atmosphere in the world, in which US president Donald Trump is leading a clear line of objection to technology theft and Chinese spying, and many more nations are trying to block trade that may enable the Chinese to obtain sensitive technology, why do you think Israel continues to let China purchase almost everything? The vice president of China visited Israel just lately and participated in the Innovation Conference.
This is an enigma to me. I don’t understand why we, as Israelis, behave like we do. I can’t explain why Israel gives the Chinese easy access to knowledge and infrastructure. I think that we, as a nation, don’t act according to the level of threat.
In Israel, there is a common perception that technological cooperation with China is good for the Israeli economy. It may be so, but I am not sure that Israel understands the threats. I think that we are [different] from the Americans who understand the threats better now, and therefore either tend to disengage with the Chinese or have such regulations that forbid Chinese companies from having unlimited access to technology. We don’t act like this in Israel and it may cost us dearly.
Many times, people say that Israel is small and therefore China has no interest in Israel beyond technology. I don’t agree. But even if this saying is true, Israel is an interesting gate, as a nation who deals in technology, to enter other countries. If they will implant attack means through us, it will infiltrate other targets around the world.
I would suggest to the Israeli government to think that since this is happening to others (US), it surely is happening to us as well.
Translated from Epoch Times Israel