Dear ERAI Members and Colleagues,

2018 has been a tumultuous year. Tensions between global economies has escalated into a war of tit-for-tat with tariffs and arrests of alleged military spies and even a major corporation’s officer. How this all plays out remains to be seen, but in the meantime, the industry is kept busy dealing with shortages, the pass-through of tariffs and compliance with multiple government regulations.

This quarter we feature our annual report summarizing the parts and organizations reported to ERAI. Reporting to ERAI slightly increased in 2018 over 2017 and included increased submissions from the original component manufacturing community, a possible sign that mitigation efforts may be becoming more universal throughout the electronics industry. Of note, capacitors this year surpassed ICs as the most commonly counterfeited part reported to ERAI, likely related to the capacitor shortage facing the industry.

Cybersecurity has also become a hot topic this quarter. Multiple examples of alleged state-sponsored cyber intrusions should, by now, have prompted all organizations to apply best practices not only to product that your organization procures for resale, but also, and perhaps more importantly, to hardware procurements made for your internal organization’s use. While the threat of a cyberattack may seem minimal to smaller companies, it is critical to understand that your organization’s digital network can be exploited to illegally obtain sensitive client information, including proprietary intellectual property.

We welcome your input. Contact us with any questions, ideas for stories or problems facing your organization. We are here to support all companies, regardless of membership status, in improving the safety of the global supply chain.

Anne-Liese Heinichen

2018 ERAI Statistics

By Damir Akhoundov

The Semiconductor Industry Association (SIA), representing U.S. companies involved in semiconductor manufacturing, design, and research, announced that the global semiconductor industry posted sales totaling $477.9 billion in 2018 following the growth trend of the last 3 years. The number of nonconforming parts reported to ERAI in 2018 has not followed the same marked growth trend showing only a marginal increase over 2017. It is interesting to note that after following the same overall growth trend as semiconductor sales until 2 years ago, the number of reported parts began a decline in 2017 and has held steady over the last year (771 in 2017 and 797 in 2018).

The types of parts reported in 2018 were also somewhat different from the usual set reported over the last 10 years. Below you can see the combined graphs of the types of parts reported in 2018 versus those reported over the last 10 years. While every year we observed the same set of part types dominating the field, in 2018 the most reported part type was capacitors which surpassed ICs. The rise in capacitor counterfeiting likely correlates to the capacitor shortage that has faced the industry and is forecasted to continue into 2019 and beyond. From 2007-2017, capacitors constituted less than 3% of overall reported parts; however, in 2018, capacitors represented 14.3% of reported parts.

The plots of the most commonly counterfeited components have indicated continued decrease in overall numbers of ICs being reported.

When we examined the alleged manufacturers of the parts reported in 2018, we once again observed that the Xilinx brand is most frequently targeted by counterfeiters and totals 8.28% of the overall parts reported to ERAI in 2018. A total of 12 manufacturers’ brands accounted for as many parts reported to ERAI in 2018 as the rest of the 135 other manufacturers’ brands combined.

This is generally consistent with our findings over the last 5-year period during which Xilinx remains the most targeted manufacturer.

We also looked at the geographic locations of the suppliers of the reported parts (in cases where that information was made available to us. Consistent with past findings, the majority (almost half) of part suppliers were from the USA with companies from China making up 22.09% of cases.

Companies reporting parts to ERAI included distributors, test labs, OEMs, contractors, and original component manufacturers.

We further analyzed if any of the parts reported to ERAI in 2018 were also reported by ERAI in previous years. The results indicated that the majority of the parts reported in 2018 (74.03%) were parts never previously reported to ERAI. Over a quarter (25.97%) were parts that were previously reported by ERAI. Less than 1% of parts were those reported more than 10 times before. The number of previously reported parts declined from 33% in 2017.

ERAI Incident Statistics

We examined all of the incidents submitted to ERAI in the last 10 years and compared the overall data to incidents submitted in 2018 to see if the long-term trends are in concordance with the short-term numbers observed in the last year.

Incident Types

We looked at the types of incidents reported to ERAI in 2018 and found that the numbers were remarkably similar to those from the combined last 10 years (2007-2017). The majority of complaints were financial in nature (e.g. past due invoices constituted 40.13% in 2018 vs. 45.76% 2007-2017).

An even more striking similarity arose when looking at incidents involving non-conforming or suspect counterfeit electronic components over the last 11 years where in 2018 23% were complaints related to non-conforming electronic components (23.21% in 2007-2017) and in 2018 16.72% were complaints specifically involving suspect counterfeit components (16.67% in 2007-2017).

Geographic Distribution of Reported Companies

We then examined the geographic locations of companies named in the incidents reported by ERAI in 2018

versus the last 10 years.

Once again, the geographic distribution of reported companies was very similar and showed that, as observed in the past, companies located in the US comprised the majority of those reported by ERAI (54.67% in 2018 vs. 60.2% over the last 10 years) with China being a distant second with 24.67% in 2018 and 18.4% over the last 10 years.

When filtered to include only incidents related to counterfeit and nonconforming products, the numbers changed accordingly bringing China and the USA closer with the US contributing 35.82% and China's share increasing to 29.85%.

When looking at a larger sample from the last 10 years, we can see that this distribution appears to be similar with China holding a slight edge over USA (40.6% China vs. 32.2% USA).

Repeat Offenders

In 2018, 27.33% of companies reported to ERAI were companies that had been previously reported one or more times by ERAI. 72.67% of reported companies had never previously been reported by ERAI. Only 1% of reported companies had been previously reported more than 10 times.

This was very similar the last 10 years of data where we observed only a quarter of companies reported multiple times and only 0.5% of them reported 10+ times.

As always, we would like to thank those organizations that routinely share data with ERAI. If you have any questions or would like to see any statistical data that has not been covered in this report, please contact Damir Akhoundov at damir@erai.com.

The company search in the ERAI website is an invaluable tool to mitigate risk posed by companies engaging in unscrupulous business practices. We encourage our members to always check the information available in the ERAI database prior to conducting business with a company you are not familiar with and to routinely check on your approved suppliers to ensure no reports were issued against them. It is also imperative that you report any incidents you encounter to ERAI so we can inform the industry and continue providing valuable risk management tools to you and others within the electronic supply chain. Your organization does not need to be an ERAI member in order to report data to ERAI.

Capacitor Counterfeits Increase as Shortages Continue

By Richard Smith

From 2007-2017, capacitors accounted for just under 3% of all reported parts in the ERAI database. An analysis of 2018 ERAI data shows that, for the first time in the last ten years, capacitors surpassed ICs as the most-often reported part type representing 14.3% of reported parts.

The industry has faced a capacitor and resistor shortage throughout 2018 and reports are predicting the shortages to last throughout 2019 and possibly beyond. Hardest hit are multi-layer ceramic capacitors (MLCC), devices used in virtually every electronic product in increasing numbers.

While there are many MLCC manufacturers in the market, in terms of global market share, Murata is the largest manufacturer of MLCCs. With the rise in reports of capacitors to ERAI, accordingly, Murata became the second-most frequently targeted manufacturer brand by counterfeiters in 2018.

Why did MLCC counterfeit activity spike? Some of the reasons capacitors are so easy to counterfeit are the very reasons they are so hard to detect. There is usually a combination of factors that make a product “counterfeit-able”. MLCCs became a counterfeiting target because demand has exceeded production capacity. For example, smart phones used to have 750 MLCCs per unit; recent models have 1,000+. New laptop models have increased from 800 to 900 MLCCs per unit. The big driver is increased demand from the automotive sector. Automobile models that used 1,000 -3,000 MLCCs per unit have exploded to 10,000 and up to 30,000 MLCCs per unit. All the MLCC manufacturers in the world combined cannot meet the current demand.

This resulting shortage is being exploited by counterfeiters. Counterfeit MLCCs vary from passing off less expensive parts as more expensive high-performance parts of the same manufacturer; substituting less expensive manufacturer parts for more expensive, higher quality manufacturer parts; combining partial reels of mixed manufacturers; and values from left-over production runs to e-waste where MLCCs are removed from scrap PC boards. Each case above is done by simply combining mixed parts of the same case size (e.g. all 1206), putting them on new, unused, blank reels, applying readily available or easily made counterfeit labels and logos, and falsifying a manufacturer’s certificate of conformance. Simple, inexpensive to do and generates big returns for counterfeiters.

The process of detecting any counterfeit electronic component is usually a combination of basic visual inspection, enhanced visual inspection, physical testing and electrical testing. We can compare physical and electrical performance parameters to a datasheet or known good device. The first problem in inspecting MLCCs is their incredibly minute size (compared to most other components). Currently, typical case sizes run from 1206 (0.125 in x 0.06 in) down to 0201 (0.02 in x 0.01 in). The trend in demand is more reduction in size. Soon it will be common to see MLCCs in case sizes as small as 008004 (0.10 in x 0.005 in).

Source: Murata

The photo above shows the actual size of some popular and available MLCCs. Starting on the left are parts in case size 1210, 1206, 0805, 0603, 0402, 0201, 01005 and 008004. You will note there are no markings or identifiers at all. That makes handling extremely difficult and identification impossible. Due to this, we start our counterfeit detection inspection process by looking at the packaging labels.

Before seeing the labels, we generally have to open a shipping container. If the box is marked with the logo of an OCM or one of their authorized distributors, then you are all set. No problem, right? Well, what if an unscrupulous supplier reused a box from an authorized distributor? What if they bought expensive high reliability precision tolerance parts then shipped you low performance parts from an inferior quality manufacturer? Know your supplier! How well was the supplier vetted when you added them to your approved vendor list? How long ago was that? When was the last time you checked the ERAI database to see if this supplier has been reported? Check the packaging to see that it is from the vendor you have on your purchase order. Know if they are authorized FOR THE MANUFACTURER you are buying or not. Make sure the packing list matches the exact description and part number on your order. Is there a certificate of conformance? From the manufacturer or the supplier? A printed original or a copy?

Inspect the packaging. MLCCs typically come on reels, sometimes on cut tape, waffle packs, bulk and other forms. Look at the labels on the reels. Does everything match? Any bar codes? Scan them to see that they match. Do you have a known good label to compare? Do all part numbers, date codes and lot codes match? A bogus label used to be easy to spot. Misspelled words, poor print quality and mixed fonts were common. Today counterfeiters have become very good at duplicating labels to the point that even many experts can’t tell much from a label. Unfortunately, even Murata’s website now reads, “Please note ‘Label Checking Service’ is no longer available as of the end of December 2018. *Counterfeit products: We have been aware of cases where comparable or substandard non-Murata products are sold as Murata products by using copied packaging, product labels, and Murata logo.”

Below is an example of a label confirmed as counterfeit by Murata. Could you tell?

Now would be the time to pull a few parts off the reel and measure them. Are they perfectly within the tolerance indicated in the manufacturer’s datasheet? Next, perform a visual inspection under magnification. Are the terminations as expected? Are they solderable or corroded? Does anything appear incorrect? Do you have a known good device for comparison? If nothing to this point has caused you to reject the lot, the next step is an electrical test.

You can use a standard meter with a product like the #18910 Quick-Test Auto-Scanning Tweezer from Aven (www.aventools.com). Better yet is a high quality, more expensive LCR Meter (L inductance, C capacitance and R resistance) with ALC (Automatic Level Control). If your results are out of spec, your parts could be counterfeit. What is the date code? Many times, an authentic part can measure out of spec because of age. There is a process called “de-aging” that can restore your MLCC to full capacitance. It involves having the proper equipment to heat your MLCCs above Curie temperature (the temperature above which certain materials lose their permanent magnetic properties, to be replaced by induced magnetism). You must consult the manufacturer’s specs and “know” what you are doing. If this restores your parts’ full function, you have to decide to use them or not. If the MLCCs do not perform within spec, they should be rejected at this point as non-conforming or suspect counterfeit.

What steps can we take to avoid receiving counterfeit MLCCs? OCMs will tell you to only purchase product from them directly or through their authorized distributors. This is great advice and in a perfect world all you need to do. The reality is, in the best of circumstances, the authorized supply chain can rarely fill all the global requirements on a given day. This condition is made worse during times of diminished capacity or spikes in demand. It is a good idea to have multiple approved manufacturers on your bill of materials. This increases your source of authorized supply.

If your authorized suppliers are unable to meet your required delivery, look at some of the independent distributors. There are many that are high quality, reliable companies with very stringent quality control and robust counterfeit risk mitigation practices. Check the ERAI High Risk and Suspect Counterfeit Parts Database to see if the part you require has been reported. Just knowing this can be helpful in navigating the supply chain to avoid reported parts and suppliers. Tip: It is a good idea to check the base number or series of parts. For example, part number GRM31CR71C106KA12 has been reported to ERAI on four (4) separate occasions for electrical failures. A search of just GRM31 shows 15 different complete part numbers reported. The common denominator is the case size. If one specific value or part number in a series has been counterfeited, your specific part number can easily be even though it may have not yet been reported.

Tell your supplier your concerns. Tell them if you know the part has been reported or not. Ask if they will provide test reports or authenticity inspection reports. Is there a warranty? From the manufacturer or distributor? Will it cover re-work charges? Liability? Civil suits?

I am reminded of some advice I received as a young sales rep, “sometimes the difference between success and failure is thinking that you know and knowing that you know”.

Recommended tips:
  1. Check if the capacitor has been reported to ERAI as being counterfeited, including checking the base number.
  2. Verify the availability of the component prior to board assembly.
  3. Be flexible with your design and consider a minor redesign.
  4. Have a contingency plan and have alternatives ready.
  5. Vet your suppliers carefully and continuously.
  6. Have a known-good device on hand for comparison during an inspection.
  7. Along with inspecting the part, inspect packaging, labels and accompanying documentation.

A: ANYONE. Membership to ERAI is not required.

We have made the process as simple as possible by offering two ways to report parts:

1. Report a part online at: http://www.erai.com/SubmitHighRiskPart
2. Or even simpler, email your report to reportparts@erai.com

We require: 1) the part information, manufacturer, part number, date code, lot code; 2) a text description of the non-conformance or findings and; 3) digital images that support the findings.

Ideally, you can send all archived data you have and make reporting future cases routine by including a report to ERAI in your existing inspection process.

Please note that you can report parts anonymously. We will not include your company name on an alert. You do not have to report the supplier that shipped you counterfeit devices unless you choose to. The major benefit to the industry at large is knowing there is a suspect counterfeit part out there.

Independent Distributor Pleads Guilty to Supplying Counterfeits to US Military

By Anne-Liese Heinichen

Independent distributor Rogelio Vasquez, aka Roger Vasquez aka James Harrison, pleaded guilty on December 27, 2018 to knowingly supplying counterfeit parts to the US military including parts that were historically used in military applications including the B-1 Lancer Bomber aircraft. If the counterfeit ICs had been used in the B-1, they, “would have likely caused impairment of the combat operations, or other significant harm to a combat operation because a failure of the counterfeit ICs would impact the B-1’s operational capabilities.”1

Vasquez has signed a plea agreement in which he has agreed that he, “knew that the ICs he bought from China were old, used and/or discarded ICs and further…knew that after they were blacktopped, the ICs were re-marked with trademarked marks and then further re-marked with an altered date code, lot code and/or country of origin code, to appear as if they were new and original equipment (“OEM”) parts.”2 In email communications, he discussed with his Chinese suppliers how to remark product to avoid detection by customers and to not include their name on shipments so customers could not contact them directly. Vasquez has agreed to plead guilty to wire fraud, trafficking in counterfeit goods and trafficking in counterfeit military goods.

Starting in 2009, Vasquez operated an independent distribution company, PRB Logics Corporation, from his house in Orange, California. In August 2012, Vasquez bought unspecified counterfeit ICs from China and subsequently sold them to a defense subcontractor; the parts were discovered to have been used in a classified US Air Force weapon system.

Between November 2015 and May 2016, Vasquez knowingly sold 82 counterfeit Xilinx ICs and 24 counterfeit Analog Devices ICs that had military applications totaling $91,580.00 to undercover agents. In a telephone conversation with agents, Vasquez assured undercover agents that his Chinese suppliers would “do a perfect job of re-marking the parts” and further offered to have his supplier provide photos for the military customer. In another conversation, Vasquez was informed that the counterfeit parts he was supplying were being procured for the B-1 Bomber by a top defense contractor. Vasquez assured the undercover agent that the parts would be remarked with a specific date code to meet the government’s requirement. The undercover agent knowingly provided Vasquez with a date code that was fake according to Xilinx; subsequent communications showed Vasquez instructing his Chinese supplier to mark the parts with that same non-existent date code.

In April and May of 2016, Vasquez sold 8,000 pieces of counterfeit Intel part number S80C196KB12 to a company who subsequently sold them to a defense contractor and subcontractor. These parts are used in products with various military applications used by the US Army, US Navy and US Marine Corps. For this purchase from China, Vasquez allegedly “instructed a testing laboratory in China to provide him with two versions of its test report; one to defendant Vasquez with all test results and a separate sanitized version to provide to his customer (which the customer, in turn, would provide to the end user) without the results of any visual inspection and permanency or other marking test (‘marking tests’), which would have revealed that the ICs were used, remarked and/or in poor condition.”3 Unfortunately, the Chinese testing laboratory still remains unnamed.

During a raid on his house, federal agents uncovered 1307 pieces of counterfeit Xilinx parts commonly used in military applications, including 480 pieces of counterfeit Xilinx part number XC2V1000-4FGG456C with date code 0725, and $97,362.00 in cash hidden throughout his garage, which has been since forfeited by Vasquez.

While operating as PRB Logics, Vasquez was previously reported by ERAI three times for suspect counterfeit product in 2011, 2012 and 2013 as well as for a past due invoice in late 2017. Vasquez has also been associated with several other companies that have been reported by ERAI and is thought to have used additional aliases not named in the indictment.

Vasquez is facing a total maximum sentence of 60 years’ imprisonment, 3 years’ supervised release; a fine of $9,250,000.00 or twice the gross gain or gross loss resulting from his offenses, whichever is greater, a special assessment fee of $400.00; restitution to the victims currently estimated at $802,638.00; and deportation and other immigration-related consequences. Sentencing is scheduled for May 10, 2019.

Additional Reading:

Click here to read Rogelio Vasquez’s Guilty Plea

Click here to read the complaint against Rogelio Vasquez

For organizations that are members of ERAI, please login to the ERAI website and search the companies’ database for “PRB Logics Corporation” to view the alerts issued against Rogelio Vasquez and PRB Logics.

For organizations that are members of GIDEP, see Agency Action Notice Document Number: AAN-U-18-313.

1 United States of America v. Rogelio Vasquez Guilty Plea, December 27, 2018.

2 United States of America v. Rogelio Vasquez Guilty Plea, December 27, 2018.

3 United States of America v. Rogelio Vasquez Indictment, April 27, 2018.

Companies with Alleged Ties to Chinese Government Under US Government Scrutiny

By Anne-Liese Heinichen

In October of 2018, Bloomberg published a report entitled “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies” that described how nearly 30 American companies stored data on servers that contained chips which had allegedly been secretly inserted during the manufacturing process in China by members of the People’s Liberation Army. Among the allegedly affected companies were Apple, a large unnamed banking institution, Department of Defense contractors and Amazon, who the report states, discovered an intrusion while performing a security audit on video compression servers that had been assembled by Super Micro Computer Inc. during a build of a secure cloud for the CIA.

Bloomberg further claims that US Government intelligence agencies were made aware of a threat in 2014 of the Chinese military attempting to insert chips into Supermicro motherboards; however, “it wasn’t clear from the intelligence whom the operation was targeting or what its ultimate aims were” and that “a broad warning to Supermicro’s customers could have crippled the company, a major American hardware maker”.1 With corporate revenues exceeding over $2 billion2, Super Micro Computers, commonly referred to as Supermicro, is the dominant source for motherboards in the US, nearly all of which are manufactured by Chinese contractors, according to Bloomberg.

Microchips such as these can allow hackers to secretly access any network which contains these tampered servers, an intrusion potentially providing unlimited and undetected access. These microchips allegedly were colored gray or off-white and resembled signal conditioning couplers as opposed to microchips and varied in size depending on the motherboard model. According to Bloomberg’s sources, the microchips were designed to enable the editing of information through the insertion of code or altering the information of operating system data as it was being stored in the motherboard’s temporary memory and then directed to the CPU. This enabled the device to communicate with computers elsewhere on the Internet and prepared the device to receive new code from these external sources allowing hackers to change how the device functioned.

According to Bloomberg, government investigators were able to review documentation for the hardware and allegedly traced the malicious chips to four Chinese subcontracting manufacturers. The infiltrators were individuals claiming to work for Supermicro or who claimed connections to the Chinese government who then requested changes to the motherboards’ designs and offered bribes or used the threat of inspections and shut downs to the subcontracting factories. The investigators concluded this plan was designed by a People’s Liberation Army unit specializing in hardware attacks.3 To date, the Bloomberg article states that there is, “no commercially viable way to detect attacks like the one on Supermicro’s motherboards…or has looked likely to emerge”.

Apple, Amazon and Supermicro have denied the claims made by Bloomberg. Bloomberg maintains it has 17 confidential sources, including US Government officials, that can confirm the intrusion but has not provided evidence to substantiate their claim. Apple has since ended its relationship with Supermicro. The day the story was published by Bloomberg, Supermicro’s share price took a nosedive from $21.40 to $12.60 and, as of December 31, was priced at $13.80 a share.

For years U.S. Government officials have expressed concerns over the Chinese government’s involvement with Chinese manufacturers such as Huawei and ZTE. In October of 2012, a US House Intelligence Committee report implied that Huawei and ZTE posed a national security threat as they believed the companies were conducting cyber espionage on behalf of the Chinese government. The report recommended blocking acquisition attempts involving both companies, not using either company’s equipment in sensitive government systems and discouraged the use of either company’s products by the commercial sector.

In March of 2017, ZTE pleaded guilty to the violation of US trade sanctions through the illegal export of American technology to Iran and North Korea and was fined $1.19 billion. Subsequently, in April 2018 the US Department of Commerce banned American companies from providing exports to ZTE. In May, ZTE announced the suspension of most manufacturing activity. In July, the Department of Commerce lifted its ban.

Huawei has similarly faced accusations of violation of intellectual property rights and cyberespionage. From accusations made by a former National Security Agency director to documents leaked by Edward Snowden, Huawei, whose founder, Ren Zhengfei, served as an engineer in the Chinese People’s Liberation Army, has been suspected of having strong ties to the Chinese government. In April 2018, the US Justice Department reportedly joined an investigation into possible violations of economic sanctions made by Huawei through the supply of its equipment to Iran, Venezuela, North Korea and Syria. In December 2018, Ren Zhengfei’s daughter and Huawei CFO, Meng Wanzhou, was arrested in Canada at the behest of US authorities. Wanzhou has been charged with conspiracy to defraud multiple international institutions by representing to US banks that Huawei and a company alleged to have done business with Iran called Skycom were separate entities though the government alleges that both companies are one and the same. As of the date of this article, Wanzhou remains under house arrest in Vancouver.

On November 1, the US Justice Department announced a federal grand jury indictment against a state-controlled Chinese company, its Taiwanese partner company and three individuals for “conspiracy to steal, convey and possess stolen trade secrets of an American semiconductor company for the benefit of a company controlled by the PRC government.”4 The named defendants are: United Microelectronics Corporation (UMC), Fujian Jinhua Integrated Circuit, Co., Ltd, Chen Zhengkun aka Stephen Chen, He Jianting aka J.T. Ho; and Wang Yungming aka Kenny Wang.

"As this and other recent cases have shown, Chinese economic espionage against the United States has been increasing—and it has been increasing rapidly. I am here to say that enough is enough. With integrity and professionalism, the Department of Justice will aggressively prosecute such illegal activity.”

Attorney General Jeff Sessions

According to the indictment, the Chinese government has designated the development of DRAM technology as a national economic priority. Fujian Jinhua Integrated Circuit (hereafter referred to as Jinhua) was established in 2016 by PRC funding with the goal of “designing, developing, and manufacturing DRAM”.5 Chen Zhengkun was employed by UMC in September 2015. The complaint alleges that Jinhua and UMC conspired to illegally obtain Micron Technology’s proprietary DRAM technology by having Chen recruit and hire Micron Memory employees, including Ho and Wang, to join him at UMC after downloading confidential Micron files from October 2015 through April 2016. UMC then provided the technology relating to the design and manufacture of DRAM to Jinhua. The stolen data included wafer specifications for Micron’s 25nm DRAM chip as well as Micron’s F32nm design. The complaint states that from September 2016 through March 2017, UMC and Jinhua filed five patents and a patent application containing information that was the same or very similar to technology described in Micron’s Trade Secrets that allegedly could not be obtained through reverse engineering. Chen became the President of Jinhua in charge of its DRAM production facility in February 2017 in addition to his position at UMC. Prior to the allegations set forth in the complaint, UMC did not manufacture or possess advanced DRAM technology. Micron estimates the value of the eight trade secrets to UMC and Jinhua was at least $400 million and up to $8.75 billion.

If convicted, Chen, Ho and Wang each face 15 years’ imprisonment and a $5 million fine for economic espionage charges and 10 years’ imprisonment for theft of trade secret. UMC and Jinhua face forfeiture and a maximum fine of $20 billion.

The Justice Department has also filed a civil lawsuit seeking to block UMC and Jinhua from transferring the stolen technology or exporting products based on the stolen technology to the US. In October 2018, the US Department of Commerce restricted US companies from selling components, software and technology goods to Fujian Jinhua.

In November 2018, China responded to allegations that its government-backed firms are stealing American technology by declaring that US moves, including the Section 301 tariffs, violate World Trade Organization rules and only seek to protect the US’ monopoly on the DRAM industry.

As the above examples illustrate, cybersecurity is a problem everywhere and for everyone: threats continue to increase globally and not just individual organizations are at risk but also entire nations. It is the responsibility of each link in the global supply chain to ensure their organization is proactive in their cybersecurity efforts for the benefit of the overall economy.

1 https://www.bloomberg.com/news/features/2018-10-04/the-big -hack-how-china-used-a -tiny-chip-to-infiltrate -america...

2 https://www.supermicro.com/about/index.cfm

3 https://www.bloomberg.com/news/features/2018-10-04/ the-big-hack-how -china-used-a-tiny-chip-to-infiltrate -america-s...

4 https://www.justice.gov/opa/pr/prc- state-owned-company -taiwan-company-and-three-individuals -charged-economic-...

5 United States of America v. United Microelectronics Corporation; Fujian Jinhua Integrated Circuit, Co., Ltd.; and Chen Zhengkun aka Stephen Chen Complaint filed 11/1/2018.

Cybersecurity Risk Alerts

For over 20 years, ERAI has been collecting, storing and disseminating data on potential risks in the material purchasing and selling process in the form of alerts distributed to our subscriber base. Along with reporting organizations that have supplied suspect counterfeit or nonconforming parts, ERAI also provides identity theft alerts on companies whose identities are being used without consent by imposters who seek to benefit from an organization’s hard-earned reputation. Many of these are in the form of unsolicited emails requesting pricing commonly for industrial test and measurement equipment, hard drives, CPUs, and/or printer toners and are generally from email addresses that are similar to the real organization’s URL.

In recent months, ERAI has noted an increase in these types of unsolicited emails that additionally contain malicious software attachments. Malicious software, or “malware”, can be used to steal personal and/or corporate information and commit fraud for financial and economic gains by individuals, corporations, criminals, terrorists or governments.

ERAI has added a new type of alert to the ERAI database to warn ERAI subscribers of this potential risk. The alerts will be posted in an organization’s profile under the title of “Cybersecurity Risk” and will also appear in the Recent Company Alerts section of the ERAI website. These alerts should not reflect negatively on an organization but should be shared throughout your organization as part of your company’s risk mitigation procedures.

An example of a “Cybersecurity Risk” alert recently issued by ERAI:

On November 9, 2018, an organization received an unsolicited email allegedly from Patti Powers of Diversified Printing Techniques asking that the attached purchase order be reviewed for accuracy and an acknowledgment be sent by return mail. The organization called Diversified Printing Techniques via their website contact information and learned that Ms. Powers had retired. All of the company information contained in the email is otherwise true and correct. The organization did not open the attachment but forwarded it to ERAI where the IT Department determined it contained malicious software.

A representative from Diversified Printing Techniques stated the company is aware of this activity, believes the email account was compromised and is instructing recipients not to open the attachment.

Recently, the US Government’s office of National Counterintelligence and Security Center (NCSC) released a report on “Foreign Economic Espionage in Cyberspace” detailing multiple instances of the use of malware to steal credentials and proprietary data, illegally breach systems and shut down operations. The report provides the latest unclassified information about attempts made by foreign entities to steal US trade secrets through cyberspace and how industrial espionage poses a significant threat to US security and competitive advantage. The report also focuses on how foreign intelligence services pose the most persistent threat, primarily from China, Russian and Iran. These entities are targeting not only US government systems, but are also greatly focused on private energy, biotechnology, defense, and IT companies. One victim included a U.S. defense contractor.

ERAI strongly recommends that any attachments received by unknown persons not be opened until they have been deemed to be safe by your organization’s IT personnel. All instances should be reported to ERAI at complaints@erai.com.

Click here to read the NCSC report.

Repercussions of the Section 301 Tariffs

In June 2018, President Trump announced tariffs against Chinese goods imported into the United States. This was an effort to protect US manufacturers in response to the “Made in China 2025” Chinese government initiative designed to make the country a major competitor in advanced manufacturing by calling for domestic manufacturers to supply 70% of China’s chip demand. In the six months since the implementation of the first round of tariffs, two additional rounds of tariffs have been applied to selected imports of Chinese-made goods.

It is still too early to determine the effect that the tariffs are having on US manufacturers. Supporters of the tariffs argue that the tariffs will encourage companies to retain domestic operations and/or limit their use of overseas production facilities. Opponents argue that profits would be diminished pushing up prices by passing through the extra cost to consumers and that China will only be incentivized into building their own rival manufacturing facilities.

In Oregon, electronics manufacturing is the most vital industry, comprising 14% of the state’s economic output in 2016 with most of the output coming from Intel, Oregon’s largest employer with 20,000 employees.1 Some worry that electronics components made in the US and then shipped to Asia for assembly and returned to the US will essentially become Oregon-made products against which tariffs are levied, causing manufacturers to move production to China. “The worst case scenario might be that someone says, ‘Well it’s easier to just do the whole thing in China and then import it back afterwards.’ Then production could get consolidated somewhere other than Oregon down the road,” stated Mike Rogoway, a journalist for The Oregonian/OregonLive.2 However, in July, Bob Swan, Interim chief executive of Intel told The Wall Street Journal that he didn’t believe the tariffs, “would have significant impact on our revenue.”3

Moog, a music synthesizer manufacturer, sounded an alarm in July citing concern over increased operating costs. The company warned that it would be forced to either shift production overseas or layoff workers due to the Section 301 tariffs, in a similar fashion to Harley-Davidson’s production shift of European-designed motorcycles out of the United States to avoid costly EU-imposed tariffs.

Apple also has acknowledged that many of their products could see price increases due to tariffs. In addition, Apple noted concern over the effect on company operations with tariffs on cables, servers and other hardware components used by the company. In a September filing, Apple stated, “our concern with the tariffs is that the U.S. will be hardest hit, and that will result in lower U.S. growth and competitiveness and higher prices for U.S. consumers”.4

Only time will tell as companies begin reporting profits or losses accordingly. It remains to be seen if companies move production overseas or reduce their domestic employees in an effort to control costs. Regardless, the tariffs will likely increase the cost of materials, even if the electronic devices are ultimately manufactured in the US.

1 https://www.oregonlive.com/silicon-forest/index.ssf/2018/08/oregons_ chip_industry_ casts_wa.html

2 https://www.opb.org/news/article/trump-tariff- semiconductor-intel- oregon/

3 https://www.oregonlive.com/silicon-forest/index.ssf/2018/08/oregons_ chip_industry_casts_ wa.html

4 https://variety.com/2018/digital/news/apple-tariffs- homepod-apple-watch- 1202932573/

Recent Criminal Indictments

Qin Shuren, LinkOcean Technologies

Shuren Qin, a Chinese citizen and US permanent resident since 2014, was charged in a Massachusetts federal court on June 22, 2018 with one count of conspiring to commit violations of U.S. export regulations and one count of visa fraud. From July 2015 to December 2016, Qin allegedly illegally exported hydrophones using his company, LinkOcean Technologies, to Northwestern Polytechnical University, a Chinese military research institute, in violation of US export laws by concealing from his supplier the true end-user of the parts. The Government further alleges that Qin lied in a US visa application by stating he had never participated in export control violations.

On October 30, 2018, government attorneys filed additional charges including conspiracy to defraud the United States, smuggling, money laundering and making false statements to government officials. Officials say Qin allegedly engaged in money laundering by transferring more than $100,000 from Chinese bank accounts to American bank accounts in order to facilitate his illegal activities.

Qin faces maximum sentences of:
  • 20 years’ imprisonment, 3 years’ supervised release, fine of $1 million for violating export laws;
  • 10 years’ imprisonment, 3 years’ supervised release, fine of $250,000 for visa fraud;
  • 5 years’ imprisonment, 3 years’ supervised release, fine of $250,000 for conspiring to defraud the United States;
  • 5 years’ imprisonment, 3 years’ supervised release, fine of $250,000 for making false statements;
  • 20 years’ imprisonment, 5 years’ supervised release, fine of $550,000 for money laundering; and
  • 10 years’ imprisonment, 3 years’ supervised release, fine of $250,000 for smuggling.

Zha Rong, Chai Meng, and 8 Co-Conspirators

“State-sponsored hacking is a direct threat to our national security. This action is yet another example of criminal efforts by the MSS to facilitate the theft of private data for China’s commercial gain. The concerted effort to steal, rather than simply purchase, commercially available products should offend every company that invests talent, energy, and shareholder money into the development of products.”

U.S. Attorney Adam Braverman
In late October 2018, the US Justice Department brought charges against 10 Chinese individuals accused of stealing American intellectual property. Beginning in January 2010 through May 2015, the US Government alleges that the defendants hacked the network of a French company with an office in Suzhou, China as well as companies in Arizona, Oregon and Massachusetts to obtain proprietary information on a turbofan engine used in US and European commercial jets and parts for that engine. The technology was stolen for the benefit of a Chinese state-owned aerospace company who was developing a similar turbofan engine.

Two of the accused, Zha Rong and Chai Meng, are officers with the Jiangsu Province Ministry of State Security. The two intelligence officers and their co-conspirators “used a range of techniques, including spear phishing, sowing multiple different strains of malware into company computer systems, using the victim companies’ own websites as ‘watering holes’ to compromise website visitors’ computers, and domain hijacking through the compromise of domain registrars”.1

Hossein Larijani, Paya Electronics Complex and Opto Electronics Pte Ltd

The US Department of State is offering a reward of up to $3 million leading to the arrest and/or conviction of Hossein Ahmad Larijani. In 2010 Larijani was charged with illegally exporting American technology, including radio transceiver modules, to Iran. From 2007-2008 and with the help of an Iranian company, three companies in Singapore and four co-conspirators in Singapore, Larijani procured technology that was used in improvised explosive devices (IEDs) that were used against US military forces from 2008 through 2010. With the help of Corezing International, Larijani had the modules shipped from Minnesota to Singapore by declaring they would be used for telecommunications in Singapore. The modules were then shipped from Singapore to Iran by Wong Yuh Lan, Lim Yong Nam, Lim Kow Seng and Hia Soo Gan Benson, all Singapore nationals who were arrested by the US government, subsequently imprisoned and eventually deported back to Singapore. Larijani, who is based in Iran, operated as Paya Electronics Complex in Iran and Opto Electronics Pte Ltd in Singapore.

The components were discovered in unexploded IEDs in Iraq. According to the indictment, IEDs have caused approximately 60% of American combat casualties in Iraq from 2001 through 2007. The modules were being used in the remote detonation systems used in IEDs. Larijani and his associates allegedly shipped approximately 6,000 of these modules to Iran. Additionally, Seng, Hia and Corezing faced conspiracy charges involving the illegal export of 55 cavity-backed spiral and biconical antennae, which are used in airborne and shipboard environments such as the F-4 Phantom, F-15, and F-16 fighter jets.

In early 2010, prior to the indictment, Opto Electronics was placed on the Department of Commerce’s Entity List. Larijani contacted US officials multiple times from Iran in an effort to have his company removed from the Entity List. When questioned, he denied having business dealings with an accused Iranian procurement agent and its Malaysian company who were believed to be involved in Iran’s nuclear and ballistic missile programs.

Hossein Ahmad Larijani is believed to be in Iran.

1 https://www.justice.gov/opa/pr/chinese-intelligence-officers-and- their-recruited-hackers-and-insiders- conspired-steal

Wanted by the FBI

How to Spot a Counterfeit: Counterfeit Documentation

Documentation, such as a certificate of conformance or a proforma invoice, can be counterfeited to provide the buyer with a false sense of security that the part was purchased from an authorized source and provide the illusion of traceability back to the original component manufacturer. Recent examples include:

In July 2018, a former quality assurance employee of AllState Can Corp. of Parsippany, NJ filed a lawsuit alleging he was fired after he complained the company used foreign-made parts for filters used for air purification systems used inside US military tanks. Jeffrey Lechowicz stated that AllState Can was six months behind on manufacturing the parts and therefore procured the parts from China in order to fulfill an order for a US Department of Defense contractor. He alleges that a sales representative then provided the contractor with counterfeit documentation stating the parts were US-made when they, in fact, were not. According to government regulations and DoD requirements, all of the components were required to be domestically manufactured or manufactured with DoD approval by a “Qualifying Country”, of which China is not.

In September of 2018, another New Jersey-based defense contractor was indicted by the US government for allegedly defrauding the DoD by misrepresenting the origin of manufacture of military parts used by the US Navy for torpedoes, bomb ejector racks used by US Air Force aircraft, and firearms and mine clearance systems used by the US military. A criminal complaint states that Bright Machinery Manufacturing and Ferdi Murat Gul forged documentation on parts made in Turkey, falsely claimed they performed required testing and illegally exported drawings and technical data. Gul is charged with conspiracy to commit wire fraud, six counts of wire fraud and one count of conspiracy to violate the Arms Export Control Act and one count of violating the act.

In a recent ERAI alert, a buyer submitted a request for quote (RFQ) via an online trading portal to Core Electronics System for Vishay part number RS1G-E3/61T. Core Electronics responded to the RFQ offering the parts at $0.04 each and represented the goods as new and original from an authorized agent. The buyer issued a purchase order; however, prior to funds being wired, the buyer was instructed by Core Electronics to issue a revised purchase order to SMT Components Ltd. allegedly because Core Electronics was currently being audited. As such, the order would be processed via Core’s “sister company” SMT. As instructed, Core Electronics Systems provided the buyer with pictures of the labels and parts prior to shipping but after the funds had been wired. The buyer noticed discrepancies in the labels and part markings when compared to product previously purchased from an authorized distributor. Core Electronics was confronted regarding the label and part marking discrepancies and was asked to provide supply chain traceability to their authorized source. Core Electronics provided a CofC from a well-known authorized distributor; however, when the buyer contacted the authorized distributor to verify the authenticity of the CofC, the authorized distributor indicated they had no record of this transaction and that the CofC was not authentic. The buyer made numerous subsequent requests for a refund of their advanced payment without a response from Core Electronics.

For another example, login to the ERAI website and search the companies’ database for “Eric Bearing Limited”.

While performing incoming inspections, organizations should also include a review of all documentation provided by suppliers. In general, documents should be reviewed for misspellings, bad grammar, blurred logos and other suspicious indicators. While many standards have failed to provide detailed recommendations for counterfeit mitigation, the Department of the Navy’s, Counterfeit Materiel Process Guidebook, Guidelines for Mitigating the Risk of Counterfeit Material in the Supply Chain provides an excellent resource of counterfeit indicators:

“Categories and indicators of counterfeit documentation include the following:
  1. Altered Documents
    • Excessively faded or unclear or missing data
    • Use of correction fluid or correction tape
    • Type style, size or pitch change is evident
    • Data on a single line is located at different heights
    • Lines on forms are bent, broken or interrupted indicating data has been deleted or exchanged by “cut and paste”
    • Handwritten entries are on the same document where there is typed or preprinted data
    • Text on page ends abruptly and the number of pages conflicts with the transmittal
  2. Signatures and Initials
    • Corrections are not properly lined-out, initialed and dated
    • Document is not signed or initialed when required
    • The name of the document approver, or title, cannot be determined.
    • Approvers name and signature do not match
    • Document has missing or illegible signature or initials
  3. Certification
    • Technical data is inconsistent with code or standard requirements
    • Certification/test results are identical between all tested item, normal variation should be expected
    • Documentation Certificate of Conformance and Testing is not delivered as required on the purchase order, or is in an unusual format
    • Document is not traceable to the items procured”
Download the entire Counterfeit Materiel Process Guidebook here.

White Paper Review: Tracking E-Waste

Basel Action Network (BAN) is a US-based NGO in Seattle, Washington whose mission is “to champion global environmental health and justice by ending toxic trade, catalyzing a toxics-free future, and campaigning for everyone’s right to a clean environment.”1 BAN has previously released several reports on the effects of e-waste dumping in Africa and Asia and alleged illegal e-waste dumping by recyclers.

On October 10, 2018, (BAN) released its latest report containing the results of a study in which GPS trackers were concealed in 43 different computing items that were sent to different electronics recycling centers in Canada. BAN then monitored the GPS trackers and discovered that of the 43 trackers deployed, 12% were exported out of Canada, of which 80% went to Hong Kong and Pakistan in possible violation of the Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and Their Disposal, of which Canada is a party (notably, the United States is not a party to the Basel Convention). The treaty was designed to reduce movement of hazardous waste between countries, specifically the transfer of waste from developed to less developed countries.

Three of the devices were exported to Hong Kong, specifically the New Territories region where, according to BAN, “e-waste junkyards hidden behind steel fences are numerous…sites where undocumented laborers have been recently employed in the crude and harmful breakdown of the electronic equipment”.2

One device was tracked by BAN to Pakistan. After arriving in the port of Karachi, the device then traveled to Peshawar, presumably to face local “recycling” according to the report. Peshawar is located on the eastern side of the Khyber Pass, close to the border with Afghanistan.

Three of the four devices exported to Hong Kong and Pakistan were handled by one Canadian recycler, the Electronics Recycling Association (ERA). The good news though is that the overall export rate of recyclers (12%) is far less than the rate identified two years earlier in the United States (34%).3

A similar previous report was issued by BAN in August of 2018 involving 35 trackers in Australia. In that study, two trackers were exported to Hong Kong, with one moving on to Thailand.

The Basel Convention has been criticized as not going far enough. In 1995, the Basel Ban Amendment to the Basel Convention was proposed to prohibit the export of hazardous waste for any reason including recycling to developing countries. The amendment has been accepted by 86 countries but has not entered into legal force as it still lacks two more countries to achieve three-fourths’ ratification. Neither Canada nor Australia have ratified the amendment.

"We call on Canada to join the European Union in ratifying and implementing the Basel Ban Amendment…By doing this, Canada can stop using Asia as a dumping ground and instead become ambassadors of global environmental justice.”

Jim Puckett, BAN Founder and Director
In the United States, to date, no specific legislation has been passed mandating export controls on e-waste. In October of 2018, the US Bureau of Industry and Security (BIS) announced the request for comments on the effects and costs of a BIS proposal on new export authorization requirements regarding e-waste that would include the potential prohibition on e-waste exports. The proposed changes also include new recordkeeping and reporting requirements and data elements in the Automated Export System to track exported e-waste and would provide for exemptions on the prohibition ban. The prohibition seeks to address the issue of counterfeit goods, specifically raised by the US Armed Services Report’s “Inquiry into Counterfeit Electronic Parts in the Department of Defense Supply Chain” and the “Secure E-Waste Export and Recycling Act” (SEERA). The deadline for comments was December 24, 2018 and would help BIS determine the feasibility and cost of implementing the proposed changes.

Click here to read the Basel Action Network Report

1 http://www.ban.org/about-us/

2 https://myemail.constantcontact.com/Canada- Still- Exporting-e- Waste-to- Developing- Countries. html?soid= 111499 9858498&a id=0dV6 AREekxk

3 http://wiki.ban.org/images/8/8b/Export_of_e-Waste_from_Canada_-_A_Story_as_ Told_by_GPS_Trackers.pdf


Is There an End in Sight to the Electronic Components Crisis?

China 'spy chips' rattle global data center supply chain

Pentagon slow to protect weapons from cyberattacks, GAO says

Pressures mount as global trade wars continue

Supply Chain Security 101: An Expert’s View

Viewpoint: Is the authorised electronics supply chain doing all it can to fight counterfeits?

Establishing a trusted supply chain for embedded computing design

Can ‘Made in China 2025’ help turn the nation’s domestic aerospace industry into a world leader?

US Withdrawing Request For Zhelyaz Andreev Extradition

Supply Chain Blockchain Builds Transparency & Trust

Counterfeit Parts in the Aviation Supply Chain is the Focus of New Book from SAE International

Aerospace Industry Responds to Pentagon Needs With New Cybersecurity Standards

Tariffs and the Electronics Supply Chain: A Perfect Storm?

Chip-Level Spying Has a Long History Under the Chinese Regime