A report today suggests that the Chinese government has been hacking American companies in a fairly astonishing manner: inserting tiny chips into computers manufactured in China.
According to a new report from Bloomberg, thousands of compromised servers were sold by Supermicro, which once supplied Apple and Amazon data centres, and that multiple U.S. security agencies have been investigating the breach in a top-secret probe since at least 2014.
Chinese spies developed pencil tip-sized chips that could be placed on computer motherboards and resembled innocuous components despite containing their own memory, networking, and processing capabilities, reads the report. The spies allegedly infiltrated Supermicro’s subcontractors, adding the chips to servers without being detected. Once the servers were powered on, the chips compromised the server’s operating system and sat awaiting further instructions from attackers.
Bloomberg, citing multiple sources, said the infiltration was first discovered in 2015 by Apple and confirmed by independent investigators before a full investigation was launched by multiple U.S. government agencies. Later, Amazon independently discovered the chip, and also reported it to US authorities.
The chips supposedly found in Super Micro hardware are suspected to have been added by the Chinese government to help spy on US companies and their users, essentially a “hardware hack” into critical systems. In total, Bloomberg says, the hack allowed the Chinese government to spy on almost 30 American companies.
Carrying out the attack involved “developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location”, the report said.
Supermicro’s motherboards are used around the world, both for specialist products like MRI machines and weapon systems and for datacenters used by tech giants. The company manufactures servers for hundreds of customers, including Elemental Technologies, a startup that specializes in video compression and that was acquired by Amazon in 2015.
“Think of Supermicro as the Microsoft of the hardware world,” a former US intelligence official told Bloomberg. “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”
We are deeply disappointed that in their dealings with us, Bloomberg‘s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.
It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.
We’ve re-reviewed our records relating to the Elemental acquisition for any issues related to SuperMicro, including re-examining a third-party security audit that we conducted in 2015 as part of our due diligence prior to the acquisition. We’ve found no evidence to support claims of malicious chips or hardware modifications.
Every major corporation in today’s security climate is constantly responding to threats and evolving their security posture. As part of that effort we are in regular contact with a variety of vendors, industry partners and government agencies sharing information on threats, best practices and new tools. This is standard practice in the industry today. However, we have not been in contact with any government agency regarding the issues you raised.
Read the companies’ full statements on Bloomberg here.