A bombshell Bloomberg report today suggests that the Chinese government has been hacking American companies in a fairly astonishing manner: inserting tiny chips into computers manufactured in China. The report claims that thousands of compromised servers were sold by Supermicro, which once supplied Apple and Amazon datacenters, and that multiple U.S. security agencies have been investigating the breach in a top-secret probe since at least 2014.
According to the report, Chinese spies developed pencil tip-sized chips that could be placed on computer motherboards and resembled innocuous components despite containing their own memory, networking, and processing capabilities. The spies allegedly infiltrated Supermicro’s subcontractors, adding the chips to servers without being detected. Once the servers were powered on, the chips compromised the server’s operating system and sat awaiting further instructions from attackers.
China’s goal, Bloomberg says, was to obtain long-term access to government networks and corporate secrets; neither consumer data nor computers sold to consumers are believed to have been affected. Yet as Supermicro is one of the world’s leading server motherboard suppliers and also “dominates” the supply of custom boards used in high-end electronics, its scope in hardware is said to be like Microsoft’s in software. “Attacking Supermicro motherboards is like attacking Windows,” a former U.S. intelligence official told Bloomberg. “It’s like attacking the whole world.”
The current scope of the damage is unclear. While compromised Supermicro servers were apparently sent to nearly 30 companies, U.S. security officials warned at least some to dump the company’s hardware. Investigations have been ongoing, but the White House has been aware of the Chinese initiative since 2014.
Based on information from 17 sources, including U.S. officials and former employees of companies, Bloomberg says Amazon discovered sabotaged hardware and reported it to the government, offering agencies access to the chips, while Apple supposedly reported its findings in mid-2015. The report alleges that Apple originally planned to purchase 20,000 Supermicro servers in 2015 but abruptly ended its relationship with the supplier in 2016 over “an unrelated and relatively minor security incident.”
However, Amazon, Apple, and Supermicro all issued statements explicitly denying the Bloomberg report. Amazon says it “found no evidence to support claims of malicious chips or hardware modifications,” and Apple said the same, adding that it “never had any contact with the FBI or any other agency about such an incident.” Apple went further, suggesting that neither Siri services nor customer data were compromised and that search engine data from acquired company Topsy Labs was stored on 2,000 Supermicro servers that have never “been found to hold malicious chips.”
For its part, the Chinese government responded with a vague proclamation, calling itself “a resolute defender of cybersecurity” and a “victim” of “supply chain safety in cyberspace.” It did not explicitly deny the report’s claims but said that it hopes “parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative, and orderly cyberspace.”
Today’s report also sheds light on longstanding but vague U.S. concerns that China’s government is using supposedly independent Chinese companies such as Huawei and ZTE to place spying tools within networking hardware and consumer electronics. In addition to explaining how subcontractors can compromise electronics without the purchaser’s knowledge, the report makes it clear that one generation of the spy chips are thin enough to embed between fiberglass board layers, making them impossible to detect without specialized tools and the original engineering schematics for the products.
The only solution — albeit a potentially impractical one — is for a company to fully control and secure its supply and manufacturing chains. Despite the risks identified by the report, it remains to be seen whether companies will take up that challenge or deny that a problem actually exists.
Update at 1:02 p.m. Pacific: Apple has reissued its denial to Bloomberg as a standalone statement, adding that the company has “never heard from the FBI about an investigation of this kind,” has “never found malicious chips in our servers,” and is “not under any kind of gag order or other confidentiality obligations.” Additionally, Apple confirmed that it has been speaking with Bloomberg about the story for 12 months — a considerable amount of time for the story to have been developed and awaiting publication.