Bloomberg: Supermicro Motherboards Bugged by Operatives in China
Roiling the tech industry and intelligence community, a news story on the Bloomberg BusinessWeek site reports that spies in China hacked Super Micro Computer servers widely distributed throughout the U.S. technology supply chain, including servers used by Amazon and Apple. The story has been flatly denied by all three companies and by the government of China.
Called “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” the story, which Bloomberg said is based on multiple sources, reports that the hack was first detected in 2015 by Amazon, which was evaluating for possible acquisition a startup named Elemental Technologies, whose software compresses video files – including surveillance footage from drones for the Central Intelligence Agency.
Amazon, according to the story, worked with a third-party company from Ontario to examine Elemental’s security, and found that company servers assembled by Supermicro (a global supplier of server motherboards used at on-prem and cloud data centers, along with HPC sites) had indications of “troubling issues.”
“Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design,” the Bloomberg story states. “Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.”
The chips allow a “stealth doorway” into networks where the hacked servers operate, according to the story, and “the chips had been inserted at factories run by manufacturing subcontractors in China,” specifically by operatives for the People’s Liberation Army.
If true, the stealth chips could have far-reaching impact. A former U.S. intelligence official familiar with Supermicro is quoted in the story: “Think of Supermicro as the Microsoft of the hardware world. Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”
The story brought strong denials from all parties concerned, including Supermicro, which in a press release today stated the company “strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems,” adding “Supermicro has never been contacted by any government agencies either domestic or foreign regarding the alleged claims.”
Bloomberg released a denial from Amazon, which said, “It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.”
Apple and the government of China also denied the story in equally strong terms.
But Bloomberg stated that the denials “are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim.”
In total, Bloomberg reports, the story is based on information from 17 people.