TECHINT The Impact of Supply Chain Attacks on the Defense Industry


Experienced member
64 30,799
Nation of residence
Nation of origin
For a different forum, I wrote an article on the importance of Supply Chain Attacks in the Defense Industry Sector in 2019. Here I am sharing its English version again.

Definition of Supply Chain Attacks

In the American convention, which was enacted on September 4, 2018, the most basic statement used in Supply Draft Attacks in the related bill is as follows:

Hardware, systems, devices, software, or services that include embedded or incidental information technology. (page 2 item E)

In the same bill, the targets of Supply Chain Attacks are listed as follows.

SUPPLY CHAIN RISK.--The term 'supply chain risk' means the risk that a malicious actor may sabotage, maliciously introduce an unwanted function, extract or modify data, or otherwise manipulate the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered article so as to surveil, deny, disrupt, or otherwise manipulate the function, use, or operation of the information technology or information stored or transmitted on the covered articles.
(page 2 item 7 of the bill, which is also linked to above)

Here we learn that any system that carries any electronic circuit board (whether it's an F-22 fighter plane or a Volkswagen on the street doesn't change anything) can be used for espionage or sabotage.

In 2010, under the auspices of the American government, industry, government officials, a committee of academicians from the university prepared a report in the study of Supply Chain Attacks classified as follows.

It has been pointed out that electronic components, including microchips, may be replaced by counterfeit components at some stage of the supply chain, and that the modified circuit element may comprise a cyber virus. It is also noted that if the electronic components are connected to any network accessible to enemy attackers, the virus can take control of the network.

Logic Bombs

Even if the virus is not connected to any network, it will not fail to achieve its programmed target. A logic bomb may remain inactive until it encounters whatever condition / target it is programmed to.

It is almost impossible to detect the logic bomb from the moment it is placed in the system. Since the virus is encoded in hardware, it still exists even if the host software is upgraded. The fact that the counterfeit hardware placed on the electronic circuit board is of microscopic size makes it difficult to detect extra. A virus prepared by a professional team performs all the tasks it needs to perform. For example, if the missile to be fired from an F-22 fighter is locked to China's J-20 fighter as the target, the virus will be activated and will perform its mission.

Hardware Based Spying Technologies

When we look at the level of development of espionage technologies used in Supply Chain Attacks from past to present; In 2007, Seagate produced a virus for the US military in Thailand, which was installed on a hard drive in China to send information to a specific IP address was in question.

Today, the age of embedded hardware has begun

While Supermicro is an electronics company that produces motherboards for servers, it has been determined that small electronic equipment from rice grains are integrated in the production, instead of subcontractors in China. The servers of Elemental Technologies, which bought Supermicro's motherboards, were used for videoconferencing in the Pentagon's data centers and in the communication of American battleships with the mainland before this incident was disclosed.

In the story that everyone knows today, technical details seem to be interesting for the announcement of the technologies used in supply chain attacks today. Because the microchips are designed in a way similar to the signal enhancement components on the motherboards to avoid attention. However, each of the chips has memory for attack, processing power and networking capability.

To be able to give an example from the US Congress to the Supply Chain Attacks identified in the field as one to one.
I quote one-to-one from the November 2011 report of the Congress

The SH–60B is a Navy helicopter that conducts anti-submarine and anti-surface warfare surveillance and targeting support. The SH–60B deploys on Navy cruisers, destroyers, and frigates and has a forward-looking infrared (FLIR) system, which provides night vision capability. The FLIR also contains a laser used for targeting the SH–60B’s Hellfire missiles.

On September 8, 2011, the Raytheon Company sent a letter to the U.S. Naval Supply Systems Command alerting the Navy that electronic parts suspected to be counterfeit had been installed on three electromagnetic interference filters installed on FLIR units delivered by Raytheon. Raytheon only became aware of the suspect counterfeit, by the way, after being alerted by our committee’s investigation. According to the Navy, the failure of an electromagnetic interference filter could cause the FLIR to fail. The Navy also told the committee that an SH–60B could not conduct surface warfare missions involving Hellfire missiles without a reliable, functioning FLIR. One of the FLIRs was sent to the USS Gridley in the Pacific fleet.

So how did a suspect counterfeit part end up in a night vision and targeting system intended for a Navy helicopter in the Pacific fleet? These filters were sold to Raytheon by a company called Texas Spectrum Electronics. This is the map we are showing you about the path of these counterfeit parts. That is a defense subcontractor in Texas. Those three FLIRs contain transistors that Texas Spectrum bought in 2010 from a company called Technology Conservation Group (TCG). TCG, it turns out, is both an electronics recycling company and an electronics distributor. The transistors at issue were mixed in among 72 pounds of miscellaneous excess inventory that a Massachusetts company called Thomson Broadcast sent to TCG as, ‘‘e-scrap.’’ According to TCG, the parts arrived in what appeared to be the original packaging. So TCG sold the transistors as new and unused parts. Now, where did Thompson Broadcasting get the parts? They bought them from a company called E-Warehouse in California, and E-Warehouse? They bought them from Pivotal Electronics, an electronics distributor in the UK. We asked Pivotal where they bought them and their answer was Huajie Electronics Limited in Shenzhen, China.

The C–27J is a military aircraft used for tactical support and to support combat operations. The U.S. Air Force has ordered 38 C– 27Js, 11 of which have been delivered. Two C–27Js are currently deployed now in Afghanistan. The C–27J is equipped with display units that provide the pilot with information on the health of the airplane, including engine status, fuel use, location, and warning messages. The display units are manufactured by L–3 Display Systems, a division of L–3 Communications, and they are manufactured for Alenia Aeronautica. Alenia is a subcontractor to L–3 Integrated Systems, another division of L–3 Communications and the military’s prime contractor for the C–27J.

In November 2010, after a part failed on a fielded aircraft, and in internal testing L–3 Display Systems discovered that a memory chip used on its display unit was counterfeit. L–3 Display Systems had already installed the parts on more than 500 of its display units, including those intended for the C–27J, as well as the Air Force’s C–130J and C–17 aircraft and the CH–46 used by the Marines. Failure of the memory chip could cause a display unit to show a degraded image, lose data, or even go blank altogether. But L–3 Integrated Systems, the prime contractor to the Air Force, did not notify its customer, the Air Force, that the C–27Js were affected by the part until September 2011, nearly a year after it had been discovered. Where did these counterfeit chips come from?

The supply chain is somewhat shorter in this case, but it started off in the same place. L–3 Display Systems bought the parts from Global IC Trading Group, an electronics distributor in California, which in turn bought the chips from Hong Dark Electronic Trade, a company in Shenzhen, China.

That is not the end of it. In total the committee discovered that Hong Dark supplied more than 28,000 electronic parts to divisions within L–3 Communications, and at least 14,000 of those parts have already been identified as suspect counterfeit. Neither the committee nor L–3 Communications knows whether the remaining 14,000 parts are authentic, and the company has not yet identified what military systems they might be in.

Another example. The P–8A Poseidon is a Boeing 737 airplane modified to incorporate anti-submarine and anti-surface warfare capabilities. Three P–8A flight test aircraft currently are in test at the Naval Air Station at Patuxent River, Maryland, and the Navy intends to purchase 108 of the aircraft from Boeing.

On August 17, 2011, Boeing sent a message marked, quote, priority critical to the P–8 program office. The message said that an ice detection module installed on one of the P–8 test aircraft contained a, ‘‘reworked part that should not have been put on the airplane originally and should be replaced immediately.’’ The part at issue is critical to the functioning, in other words, of the P–8’s ice detection module.

Boeing first identified a problem with the part in December 2009 when an ice detection module failed on the company’s flight line. In that case, the part had literally fallen out of its socket and was found rattling around inside the module on the airplane. BAE Systems, which manufactures the ice detection system for Boeing, investigated the failure. They discovered that the part that had fallen out of the socket and dozens of other parts from the same lot were not new parts at all. Rather, they were previously used parts counterfeited to make them appear new. On closer inspection, BAE discovered that the parts had likely been sanded down and remarked. The leads on many parts were bent and marking on the parts were inconsistent. Parts that should have been virtually identical to one another were actually found to be of different sizes.

In January 2010, BAE notified Boeing of suspect counterfeit parts on a P–8, calling the counterfeit parts, ‘‘unacceptable for use,’’ and recommending that they be replaced. BAE engineers believed their use created a long-term reliability risk. But it took Boeing more than a year and a half to notify the Navy or its other customers about the suspect counterfeit parts. Those notifications only came after our committee asked about them. Why it took so long for Boeing to notify its customers is something which we will discuss with Mr. Dabundo, the Program Manager for Boeing Defense, Space, and Security Systems P–8 Program Office who is a witness on our third panel.

The Navy recently wrote Boeing that, ‘‘the Government’s position is that any counterfeit material received is nonconforming material and shall be immediately reported.’’

So where did the counterfeit parts come from in that case? BAE purchased around 300 of the parts from a company called Tandex Test Labs in California. Tandex bought the parts from a company called Abacus Technologies in Florida. Abacus, in turn, purchased the parts from an affiliate of A Access Electronics in Shenzhen, China, and wired payment for the parts to A Access’s account at a bank in Shenzhen, China.

The three cases I just described are a drop in the bucket. There is a flood of counterfeits and it is putting our military men and women at risk and costing us a fortune. In terms of the cost, just one example, to the Government now.

In September 2010, the Missile Defense Agency (MDA) learned that mission computers for Terminal High Altitude Area Defense (THAAD) missiles contained suspect counterfeit memory devices. According to the MDA, if the devices had failed, the THAAD missile itself would likely have failed. The cost of that fix was nearly $2.7 million, and who paid for it? The American taxpayer. We must change our acquisition rules to ensure that the cost of replacing suspect counterfeit parts is paid by the contractor, not the taxpayer. No ifs, no ands, no buts, and regardless of the type of contract involved.

So let us be clear, though. The risk is not created by the contractors. The risk stems from the brazen actions of the counterfeiters. Mr. Kamath of Raytheon, another one of our witnesses, told the committee that ‘‘what keeps us up at night is the dynamic nature of this threat because by the time we figured out how to test for these counterfeits, they have figured out how to get around it.’’

Now, some have argued that even if a counterfeit is not identified right away, that a contractor’s testing process will weed out counterfeit parts. If a system containing a counterfeit part passes that testing, they argue, then the counterfeit part should work just like a new part. But that is not what the manufacturers of these parts tell us, and it is also not what our military leaders tell us.

We wrote to Xilinx, a large semiconductor manufacturer, about the anomalies that BAE had identified on the counterfeit parts that were intended for ice detection modules in that P–8A. Again, the parts were counterfeits of original Xilinx devices. This is what Xilinx told us. ‘‘These cases pose a significant reliability risk. Some of these could be catastrophic. Though the devices may initially function, it may be next to impossible to predict what amount of life is remaining or what damage may have been caused to the circuitry.’’
In those cases, when DOD or a contractor in the defense industry needs a spare electronic part to fix a 10- or 20-year-old system, there is a good chance that that part may no longer be available from its original manufacturer and there may be little choice but to go to the open market to find the replacement part. In other words, the parts that we buy are still supposed to be new even if they are no longer being manufactured.
(All examples are on pages 4 to 7 on paper)

However, the above examples are not exactly the summit of this issue. In the Supply Chain Attacks risk assessment report issued by the US Air Force on August 14, 2018, the main threats for the Space-Based Infrared Early Warning Satellite program are classified as follows.
As a result, an adversary has opportunity to infiltrate the AFSPC supply chain and sabotage, maliciously introduce an unwanted function, or otherwise compromise the design or integrity of the critical hardware, software, and firmware. (page 7)
When the list of all critical electronic circuits used in the program is requested, it is seen that the function of the components used is not defined specifically and the manufacturer's identification information is not available. (page 10)

Nowadays, it is now possible for professional teams working at the state level to crash or capture satellites through cyber vulnerabilities. It was also stated that China used cyber vulnerabilities to watch India's government meetings for 4-5 minutes.

In such a conjuncture, the creation of Supply Chain Attacks with satellites for espionage or sabotage will have unpredictable consequences. With a virus placed in the communication satellites for espionage, it will be possible to monitor and perhaps even capture the whole network.
In such a conjuncture, the creation of Supply Chain Attacks with the purpose of espionage or sabotage on satellites will have unpredictable consequences. With a virus placed in the satellites for espionage, it will be possible to monitor the entire network and perhaps even capture it. The backdoor risk for SBIRS satellites is also valid for the GBI missile defense system.

Measures for Supply Chain Attacks

On all this fake electronic fury; DARPA'nın military level will be used in 2010 to investigate whether the electronics was announced.
In 2014, DARPA also established a private laboratory specialized in counterfeit electronics detection. It is said that the laboratory uses an Advanced Optical Scanning Microscope. The microscope uses infrared lasers to test chip-making or transistor-level circuits that examine microelectronic circuits at nanometer levels.

Likewise, the SHIELD project is one of the preventive R & D programs developed in the management of DARPA for the related threats.
The project aims to prevent external interference to electronic circuits. It is aimed to mount a 100 micron square sensor developed in the scope of the project to the delivery at the time of delivery from the factory and to verify that the sensor does not see light or that no changes have been made to the delivery with a portable probe during delivery.

When considering the threat assessment on the subject;
  • Recycled components that are sold as new
  • Unlicensed overproduction of authorized components
  • Test rejects and sub-standard components sold as high-quality
  • Parts marked with falsely elevated reliability or newer date of manufacture
  • Clones and copies, which may be of low quality, or may include hidden functionality
  • Components that are covertly repackaged for unauthorized applications
Such substances are counted.

DARPA launched a secure microchip wide area call program on March 25, 2019, which covered the issue in greater detail. In this article, Side Channel Attacks, reverse engineering applications, supply chain attacks and malware attacks are also considered as threats to be taken within the scope of the program. It was noted that $ 1.5 billion was allocated for the fund created under the call.

Summaries from a systems engineering briefing to the Pentagon








Top Bottom