Updates on Supply Chain Level Backdoors and Magecart
After our briefing last week on Bloomberg's report that hardware backdoors were placed into the hardware of major US corporations, little new solid information has become available. However US lawmakers have begun sending requests for more information to Supermicro - the vendor implicated in the reports.
This can be seen as mostly posturing. Whether or not Supermicro is involved in any scheme, it is highly unlikely to admit to it. Likewise, since the Bloomberg report quoted ongoing police investigations, querying the results of those would appear to be the easier path to accurate information for the senators.
In the meantime, new reports from Bloomberg indicate that US telco providers might also have been targeted by the same scheme.
Whether or not these claims are accurate is still unknown. As we have stated in our previous briefing, the concept of hardware level backdoors is very believable and likely already being abused by state-actors in preparations for larger cyber attacks. However there still is no public proof for this particular report and issues such as the overall poor security of Supermicro hardware making dedicated hardware backdoors redundant and questions regarding why a hardware manufacturer would chose to add a chip instead of backdooring an existing chip cast significant doubt.
We will keep you updated as this topic evolves.