Chinese spies have infiltrated the supply chain for servers used by nearly 30 US companies, including government contractors, Apple, and Amazon, according to an explosive report from Bloomberg Businessweek.
The operation is perhaps the most audacious example of hardware hacking by a nation state ever publicly reported, with a branch of China’s armed forces reportedly forcing Chinese manufacturers to insert microchips into US-designed servers. The chips were “not much bigger than a grain of rice,” reports Bloomberg, but able to subvert the hardware they’re installed on, siphoning off data and letting in new code like a Trojan Horse.
According to Bloomberg, Amazon and Apple discovered the hack through internal investigations and reported it to US authorities. The publication says there’s no direct evidence that the companies’ data — or that of users — was stolen or tampered with, but both firms worked quietly to remove the compromised servers from their infrastructure.
Both Amazon and Apple strongly refute the story. Amazon says it is “untrue” that it knew of “servers containing malicious chips or modifications in data centers based in China,” or that it “worked with the FBI to investigate or provide data about malicious hardware.” Apple is equally definitive, telling Bloomberg: “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
The attack was reportedly carried out via the US-based company Super Micro Computer Inc, commonly known as Supermicro. The firm is one of the world’s biggest suppliers of server motherboards, and contracts out manufacturing to factories in China and elsewhere.
Supermicro’s motherboards are used around the world, both for specialist products like MRI machines and weapon systems and for datacenters used by tech giants. The company manufactures servers for hundreds of customers, including Elemental Technologies, a startup that specializes in video compression and that was acquired by Amazon in 2015.
“Think of Supermicro as the Microsoft of the hardware world,” a former US intelligence official told Bloomberg. “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”
According to Bloomberg, it was Elemental (via Supermicro) that was a prime target for the Chinese military. Elemental’s servers “could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships,” says the publication, with thousands more used by Apple and Amazon. In total, the attack affected almost 30 US companies, including government contractors and one major bank.
Parts of Bloomberg’s story have been previously reported. Apple did sever its relationship with Supermicro in 2016, but the iPhone-maker claimed this was due to an unrelated and minor security incident. Amazon reportedly distanced itself from Supermicro’s compromised servers by selling its Chinese infrastructure to a rival, for unknown reasons at the time. In a statement to Bloomberg, Amazon admitted finding “vulnerabilities” in Supermicro’s products, but said they were software, not hardware, related. Facebook, another potential customer, also found problems with Supermicro’s products, identifying malware in the company’s software and removing the servers from its datacenters.
Bloomberg’s reporting has not been confirmed by on-the-record sources from the US intelligence community. The FBI and the Office of the Director of National Intelligence, representing the CIA and NSA, declined to comment for the story. However, it’s well known that such hardware subversions are a big prize for a nation’s intelligence outfits — the NSA itself has been caught carrying out similar operations. They promise huge rewards in terms of stolen information, but leave behind physical trails, unlike software hacks.
As with other large-scale hacks and security failures, the repercussions of the operation as reported by Bloomberg will be difficult to judge. According to the publication, the US intelligence community’s investigation is still ongoing, three years after it was opened.