Chinese spies compromised server hardware for nearly 30 US companies, including Amazon and Apple, as well as the US government, in a bold espionage attempt to compromise the US's entire technology supply chain, according to a Bloomberg report early Thursday.
Amazon.com Inc. (Nasdaq: AMZN) discovered spy chips mounted on the motherboards of servers manufactured by Super Micro Computer for Elemental Technologies, in 2015. Amazon was considering acquiring Elemental, which made video streaming software, to bolster its Prime video service, according to the Bloomberg report. Apple discovered the attacks independently at about the same time in its own data center server hardware.
The allegations, if true, have broad implications. Super Micro Computer, also known as Supermicro, is one of the world's biggest suppliers of server motherboards. Elemental's servers can be found in Department of Defense Data Centers, CIA drone operations and onboard networks for Navy warships. And Elemental is just one of hundreds of Supermicro customers, Bloomberg reports.
Amazon reported their findings to US authorities. The US government is continuing to probe the incident more than three years later. It determined the chips allow attackers to "create a stealth doorway into any network that included the altered machines," Bloomberg said. "Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China," according to the report. China, which dominates electronics manufacturing, is uniquely poised to pull off this kind of attack, though even China would find an attack on this level extremely difficult.
Bloomberg says US officials describe the incident as "the most significant supply chain attack known to have been carried out against American companies."
One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world's most valuable company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.
In emailed statements, Amazon (which announced its acquisition of Elemental in September 2015), Apple, and Supermicro disputed summaries of Bloomberg Businessweek's reporting. "It's untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental," Amazon wrote. "On this we can be very clear: Apple has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server," Apple wrote. "We remain unaware of any such investigation," wrote a spokesman for Supermicro, Perry Hayes. The Chinese government didn't directly address questions about manipulation of Supermicro servers, issuing a statement that read, in part, "Supply chain safety in cyberspace is an issue of common concern, and China is also a victim." The FBI and the Office of the Director of National Intelligence, representing the CIA and NSA, declined to comment.
On the other hand, Bloomberg says it has 17 people confirming its story, including "six current and former senior national security officials," and Amazon and Apple insiders.
"One government official says China's goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen," says Bloomberg.
Bloomberg has a great deal more information in its in-depth report: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.
The Bloomberg investigation lends credence to claims that China is implanting spy technology in the electronics it exports to the US, which at times have appeared like political posturing, notes my colleague Jamie Davies at Telecoms.com. (See Maybe the Chinese espionage rhetoric is more than political hot air.)
Huawei Technologies Co. Ltd. and ZTE Corp. (Shenzhen: 000063; Hong Kong: 0763) have been subject to sweeping bans by the US government in doing business in America. Huawei recently launched an effort to convince the Federal Communications Commission to open the doors to US trade. (See Huawei Hasn't Given Up on US Market, Pitches the FCC.)
— Mitch Wagner Executive Editor, Light Reading