from Net Politics and Digital and Cyberspace Policy Program

Cyber Week in Review: October 5, 2018

The four alleged GRU operatives implicated in the cyber operations against the OPCW and international sporting bodies. Dutch Ministry of Defense/via Reuters

This week: Chinese supply chain attacks, Russian military intelligence under the microscope, and fake news in Indonesia. 

October 5, 2018

The four alleged GRU operatives implicated in the cyber operations against the OPCW and international sporting bodies. Dutch Ministry of Defense/via Reuters
Blog Post
Blog posts represent the views of CFR fellows and staff and not those of CFR, which takes no institutional positions.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

1. Small chips, big problems. On Thursday, Bloomberg Businessweek published a blockbuster article that draws into question the security of global supply chains. It alleges that a secret unit of the People’s Liberation Army (PLA) planted malicious microchips, each the size of a grain of rice, in server motherboards bound for the data centers of large U.S. companies like Apple and Amazon. The motherboards were manufactured by San Jose-based company SuperMicro, which builds many of its components in factories in China. Those factories appear to have provided the PLA with its access point into the supply chains of U.S. companies. While Amazon and Apple both eventually found the infected hardware, the story alleges that the PLA’s chips had already found their way into the companies’ data centers, providing the PLA with potentially unfettered access to the data of some of the largest U.S. companies.

More on:

Cybersecurity

Digital Policy

Although the companies implicated in Bloomberg’s story all issued strong denials, the implications of a hardware-based attack are grave enough to shake confidence in the integrity of global supply chains. An attack that incorporates a flaw during the manufacturing process, as opposed to tampering with hardware in transit as the NSA is known to do, is difficult. Experts have long thought that a state-actor like China would not risk the inevitable backlash associated with news that it infiltrated supply chains within its borders. This story might change that calculus, with Lawfare's, Nicholas Weaver calling it “a sobering wake-up call.” On Friday, the ripple effects from the revelations could be felt across the tech industry. SuperMicro’s stock fell nearly 50 percent while security experts speculated that more security disclosures could be forthcoming as companies begin scrutinizing their hardware supply chains. 

2. Do you have no shame, sir? The Netherlands, the United Kingdom, and the United States accused Russia's military intelligence agency, better known as the GRU, of conducting a series of cyber operations against sporting organizations as well as the Organization for the Prohibition of Chemical Weapons (OPCW). First, UK and Dutch authorities held a joint press conference detailing a "close-access cyber operation," where four GRU operatives under diplomatic cover parked outside OPCW headquarters in the Hague to hack its WiFi network. The OPCW is of interest to Moscow given its role in confirming the UK's assessment that the GRU was behind the poisoning of Sergei Skripal and its investigation in the use of chemical weapons in the Syrian civil war. Second, the U.S. Department of Justice announced an indictment against the same four GRU operatives, along with three others (who were also previously indicted under the Mueller probe), for the OPCW operation and others directed at the World Anti-Doping Agency, anti-doping bodies in Canada and the United States, the International Association of Athletics Federations, and FIFA. The targeting of these organizations was part of an influence and disinformation campaign to discredit them because of their criticism and actions against Russia's state-sponsored athlete doping program.

Unsurprisingly, Russia denied the allegations, chalking it up to an "anti-Russia spy-mania," whereas Canada, Australia, New Zealand, and France issued statements supporting the joint Dutch-US-UK allegations. This is the most recent, and arguably best coordinated, instance in which a group of Western countries have jointly denounced malicious Russian cyber activity, with a view of trying to get Moscow to change its behavior. The jury is still out on whether that will work. Russia, however, might want the GRU to invest in better operational security, like not re-using the same laptop for different field operations or prohibiting agents from taking Moscow taxi receipts with them on their way to missions. 

3. Debunking disinformation. The Indonesian government is stepping up its effort to counter fake news before that country's presidential election next year. The country’s communications ministry announced a plan to hold a weekly briefing that debunks disinformation as part of a public-facing education campaign. Indonesia is the world’s third-largest democracy—it also has one of the highest rates of social media usage among its citizens in the world. That’s fertile ground for disinformation and hoaxes. On Thursday, Indonesian authorities arrested eight people responsible for a campaign to spread fake information about the tsunami that hit Indonesia’s Sulawesi island. 

More on:

Cybersecurity

Digital Policy

Creative Commons
Creative Commons: Some rights reserved.
Close
This work is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0) License.
View License Detail
Close