I'm not sure I believe this one as much, just based on the part you quoted. I can see a chip manipulating the BMC/IPMI flash to make it do things it shouldn't. I don't see how an ethernet port could be modified to be interesting. They're typically after the magnetics, or contain the magnetics themselves, so the only source of power would be the activity LEDs, or something, or maybe we assume a custom PCB as well. You've then also got to have it doing gigabit ethernet, or otherwise tampering with data it got from that interface, which feels unlikely. Maybe it's just the same as the last implant story, hidden in a less easy to find place? Hard to know without something even approaching technical information.

You could easily DoS obviously, but beyond that I agree that it seems tricky to do anything worthwhile.

It could just be a sort of beacon to help identify where hardware went after the manufacturing process. If the same company is building the same hardware, the agent can slip in something more nefarious to make sure they target the right company. Servers are commodity products but they aren't manufactured in mass quantities like phones are. If a company orders thousands of them, that's likely thousands that will need to be made. A chinese manufacturing plant gets contracted to spin up production and an implant is slipped into some of the first boards just to see where they go. You don't want an expensive hardware trojan to end up in a Fortnite server; you want to hit Apple, Google, Lockheed Martin, Spacex, anyone with valuable IP or information. The more beacon implants you throw out there, the more likely someone will find one and you don't want to get caught too early in the game. Once those implants come online and phone home, you have a better idea where the remaining boards are going and slip in the real deal implants, the ones that will actually get you a backdoor.

How would such a beacon work though? As RL_Quine points out there's only so much you can do at this point, especially if you want to be super stealthy. If you wanted to send a ping to an external server you'd have to craft an ethernet frame with the right target MAC address containing an IP datagram with the right IP address to be routed correctly in the datacenter and through the public firewall. You better make sure that your packet looks legit otherwise you're sure to trip anything looking for suspicious activity. "Hey look, our servers send weird packets to this suspicious IP, what gives?"

And you have to do all that with a very low power device running from within the port itself. Seems like a very high bar to me, especially when there seems to be so many easier ways to backdoor a motherboard.

But maybe the component is only hosted in the ethernet port but is actually connected to other signals on the motherboard.

You can sniff the right target MAC and source IP from the traffic flowing through the port itself. (Just assume the machine itself has internet access and use its source IP and the target MAC it uses for public addresses.)

As to the beacon itself… DNS is pretty good. Just send an innocuous DNS request to a machine you control (say a NIST time server), if you think an iterative request won't show up on radar. Or send a recursive DNS request along a path you've wiretapped. (I'd be surprised if the NSA doesn't have a feed of all DNS requests to 8.8.8.8.)

Of course you will want to wait to see whether the bugged machine itself sends any such packets out first, to ensure that yours can hide in the noise. Bad idea to send a DNS beacon from a machine that doesn't ever make DNS requests.

Actually on second thought, given the above capabilities, you don't even need to inject packets at all. Just mangle existing DNS queries in such a way that you can identify them in a wiretap. Say, for all DNS requests with a specific hash, mangle the ID field so that it matches some orthogonal hash (and unmangle it on the way back of course). Very unlikely to be noticed by an IPS, and you can statistically determine that machines sending more than expected packets whose ID field matches this second hash are successfully bugged.

Or, why even send packets? Instead, drop all DNS request packets matching some specific hash. They'll eventually get retried with a new server or new ID. Again, statistics applied to wiretapped data can determine whom you've bugged. You don't even need store+forward capability here; just emit noise over the tail of the packet and the switch will drop it for you.

I've never seen an onboard Ethernet jack that doesn't have metal sides. The only places I've seen all-plastic Ethernet jacks are consumer networking gear and really ancient add-on cards. That makes me wonder if their source actually knows what he's talking about, especially given the lack of technical details about how this works.