An in-depth report into an alleged cyber-espionage campaign carried out by Chinese operatives is being disputed by some implicated tech giants.
An explosive report was published by Bloomberg Businessweek yesterday (4 October), which claims that Chinese spies infiltrated the technical supply chain of major tech firms including Amazon and Apple, planting a microchip on their servers manufactured outside the US.
The pencil tip-sized spy chip, which was assembled by a company called Super Micro Computer (known as Supermicro), would allow spies to secretly modify data centre servers and provide the Chinese government with a backdoor into some of the world’s largest technology firms.
While the security world has traditionally looked at software attacks as the more commonplace occurrence, the concept of a malicious chip has sparked much discussion in the industry. According to the Bloomberg report, the Chinese People’s Liberation Army (PLA) forced the inclusion of illicit chips on hardware during the manufacturing process of server systems in factories.
What is Supermicro?
Supermicro is one of the world’s largest suppliers of server hardware, storage and GPU systems and it allegedly assembled server motherboards for Elemental, which was acquired by Amazon in 2015.
After the motherboards were forensically examined, it was found that minuscule chips embedded in the board were not part of the original design. This discovery was apparently passed on to authorities in the US, as the servers were being used by the CIA and other state agencies.
Denials coming in fast
The Bloomberg report alleged that Apple was one of the victims, stating that the company had found the malicious chips in 2015, severing ties with the firm in 2016. Apple has vehemently denied all allegations.
In a written response, the iPhone-maker said: “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.” The company said that beyond an infected driver discovered in 2016, there were no other security-related issues with Supermicro.
In a separate statement, Steve Schmidt, chief information security officer at Amazon described the Bloomberg piece as “erroneous”. The article had claimed that Amazon Web Services (AWS) had been aware of malicious chips in Supermicro motherboards in Elemental’s hardware at the time it acquired the company in 2015.
Amazon said it did “a lot of due diligence” when it was acquiring Elemental, including commissioning an external security firm to compile a report. Schmidt added: “There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count.”
Supermicro also strenuously denied the legitimacy of the story. “The manufacture of motherboards in China is not unique to Supermicro and is a standard industry practice. Nearly all systems providers use the same contract manufacturers. Supermicro qualifies and certifies every contract manufacturer and routinely inspects their facilities and processes closely.”
Bloomberg itself says it has testimony from six current and former national security officials as well as confirmation by 17 anonymous sources which back up its reporting on the Supermicro compromise.
The Chinese ministry of foreign affairs said the country was a “resolute defender of cybersecurity”. The spokesperson added that supply chain safety is a problem that concerns every government, adding that “China is also a victim”.
US National Security Council leader, John Bolton, said “…Chinese efforts to threaten us in cyberspace and across the information technology spectrum are a very high priority for us”.
A complex web
Reporter Zack Whittaker wrote in TechCrunch that tapping for information from the intelligence community is “near impossible”. He also added that, even if there was an active espionage investigation into China’s alleged actions, it may have been possible only very few people at Apple or other companies would know about it.
As he said, it is a complex story and Bloomberg’s reputation as a respected publication must be considered, alongside the possible need for more transparency when it comes to reporting.
Aside from the claims and counter-claims around the story, it is clear that supply chain infiltration on the hardware end is a credible threat and one that security teams must be cognisant of. While software supply chain attacks are commonplace, they can be somewhat easier to secure. The hardware supply chain is a much larger logistical challenge.