Apple and Amazon hacked by China? Here’s what to do (even if it’s not true) | Cyber Security

Latest breaking news on

Thanks to Ross McKerchar, our CISO at Sophos, and Luke Groves, one of our Senior Penetration Testers,
for their help with this article.

The past week has seen the beginning of a saga that feels as though it could end up like Homer’s Odyssey or Virgil’s Aeneid

…a fascinating, entertaining, confusing, politically charged and unpredictable tale, littered with lyrical allusions and based on mysterious sources; a supposedly factual tale that the tellers nevertheless describe in mythological terms as “like witnessing a unicorn jumping over a rainbow” and as “a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle.”

(Actually, transporting a stick from the Yangtze and dumping it on a beach in Lake Washington isn’t a particularly difficult feat these days, thanks to long-haul air travel.)

This saga was years in the making and will probably end up as prescribed reading in years to come for any number of students who’d really rather be trying to fathom something altogether more straightforward, such as programming elliptic curve cryptography from scratch – or, for that matter, translating Homer from the original Greek.

We’re talking, of course, about the astonishing claims published by US technology publishers Bloomberg that Chinese military spies successfully infiltrated at least 30 major US companies, starting about three years ago, by covertly implanting ultra-tiny “zombie chips” onto server motherboards sold by a US server vendor called Supermicro.

According to Bloomberg, these chips could do two main things: call home, like any software bot or zombie, to fetch unauthorised software code; and inject this code into the system at a level below the operating system kernel, thereby subverting the kernel itself.

Bloomberg’s suggestion of how this might work is a rather simplistic example of patching the operating system so that “the server won’t check for a password—and presto! A secure machine is open to any and all users.”

In practice, access control to servers typically doesn’t work quite like that these days, with a single door that’s swung open by a function programmed into the operating system itself. But Bloomberg’s example is admittedly suggestive of the obvious danger of a kernel-level rogue helper, whether it’s hardware or software based, on any computer, whether it’s a server, a laptop or a phone.