Join NexChange - the professional
network for the financial services
industry - and receive a free one-
year subscription to Forbes
Report: China Hacked Amazon, Apple and Other U.S. Companies By Implanting Stealth Microchips in Servers
In a blockbuster report published on Thursday, Bloomberg Businessweek details a complex attack on about 30 American companies – including Amazon and Apple – by manufacturing subcontractors in China who allegedly inserted small microchips – “not much bigger than a grain of rice” – on the motherboard of servers used for compressing videos in a multitude of devices.
According to Bloomberg, the microchips were first discovered in 2015 when Amazon began conducting due diligence for a possible acquisition of Elemental Technologies, a Portland, Oregon-based startup that “made software for compressing massive video files and formatting them for different devices.” Amazon Web Services (AWS) hired a third-party firm to evaluate Elemental’s security, which “uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression.”
Elemental’s servers were assembled by Super Micro Computer Inc., a San Jose, California-based company that is also known as Supermicro. Elemental sent some of these servers to a third-party company in Ontario, Canada for a security test, as Bloomberg reports.
Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.
One of the ways – and apparently the most difficult way – for spies to modify the “guts of a computer,” is “seeding changes from the very beginning” of the manufacturing process, Bloomberg reports.. The other way – which leaked documents from the National Security Agency by Edward Snowden showed to be the method preferred by U.S. spy agencies – “consists of manipulating devices as they’re in transit from manufacturer to customer.”
However, because roughly 75 percent of the world’s mobile phones and 90 percent of its PCs are made in China, according to Bloomberg, China had much more to gain by choosing the first approach. This was no small feat.
Still, to actually accomplish a seeding attack would mean developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location—a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle. “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” says Joe Grand, a hardware hacker and the founder of Grand Idea Studio Inc. “Hardware is just so far off the radar, it’s almost treated like black magic.”
But that’s just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.
The U.S. government has been investigating this attack for three years now, Bloomberg reports, starting with the Obama administration and continuing on with the Trump White House. In addition to Apple and Amazon, investigators tell Bloomberg that a “major bank” and government contractors were also affected.
Apple had been “an important Supermicro customer,” but three senior “Apple insiders” tell Bloomberg that the company had also found “malicious microchips” on the Supermicro servers in the summer of 2015. Apple canceled its relationship with Supermicro in 2016, apparently for “unrelated reasons.”
Apple, Amazon and Supermicro all released emailed statements.
Apple said in part:
Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
“While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard,” Supermicro said in a statement. “We are not aware of any customer dropping Supermicro as a supplier for this type of issue.”
You can read Bloomberg Businessweek‘s full report here.
You can read the statements from Apple, Amazon and Supermicro here.
Photo: Getty iStock