Sign up for our newsletter
Technology / Cybersecurity

China Put Spy Chips in Servers Used by Apple, Amazon, Major Banks: Bloomberg

In an extensive 5,000-word investigation spanning both the Obama and Trump administrations and denied outright by every named party but confirmed by six current and former senior national security officials, Bloomberg claimed today that interventions along America’s technology supply chain by Chinese spies resulted in compromised Supermicro hardware reaching almost 30 US companies.

Bloomberg named Amazon and Apple as among the companies affected by compromised Supermicro motherboards; claims rejected outright by both parties. The news wire said it has had 17 sources confirm the story. Supermicro servers are in use in the UK across the financial services and oil and gas sectors, among others.

White papers from our partners

Bloomberg pointed to Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, “the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small” as having had hardware “seeded” with a malicious microchip by Chinese PLA operatives.

The issue was allegedly identified initially as the result of a AWS security audit, as it began work on a private cloud for the CIA.

Bloomberg reporters Jordan Robertson and Michael Riley wrote: “Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community.”

See also: Q&A: Cybersecurity, Machine Learning and the Nation State

They added: “During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”

One official said investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and Apple Inc., an allegation Bloomberg says was supported by confirmation from three Apple insiders.

“Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.”

“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” Amazon has responded.

“On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple wrote.

“We remain unaware of any such investigation,” wrote a spokesman for Supermicro, Perry Hayes.

UK distributors of Supermicro hardware find homes for it across the financial services sector, where it underpins numerous major data centres. None of those contacted by Computer Business Review was aware of the allegations and declined to respond.

 
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.