In a scene straight out of a spy movie, the Chinese government inserted tiny malicious chips into Supermicro servers used by Amazon, Apple, and other large American companies and federal agencies, according a Bloomberg report.
Citing U.S. national security officials, Bloomberg says a Chinese military unit designed and manufactured the chips, which are as small as a grain of rice. The microchips were then inserted into motherboards at Chinese factories that supplied Supermicro, one of the largest data center server vendors in the world.
“Think of Supermicro as the Microsoft of the hardware world,” a former U.S. intelligence official told Bloomberg. “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”
Once the affected servers were switched on, they altered the operating system to accept modifications from remote computers and waited for further instructions and code. China’s goal was to steal corporate secrets and infiltrate U.S. government networks.
The investigation, which began in 2014 and remains open, found that the hardware attack hit almost 30 companies, including a major bank, government contractors, Amazon, Apple, and Elemental Technologies, a backend mobile video service that Amazon Web Services (AWS) acquired in 2015.
AWS, Apple Deny Server Flaws
Amazon, Apple, and Supermicro all issued statements denying the Bloomberg report. “It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” Amazon said. “It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.”
“Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” according to Apple. “Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”
Bloomberg, however, says 17 sources countered those denials and confirmed the manipulation of Supermicro hardware.
“If true, and the Bloomberg investigation seems comprehensive, this is HUGE!!!!!” wrote analyst Jack E. Gold, president of J. Gold Associates, in an email. “It should send off signal flares in all areas of government and industry. It’s highly likely that Apple, Amazon, etc., are caught in a Catch-22 situation. If they confirm that they were hacked as the report alleges they will immediately lose trust from a majority of customers and it will have major implications to their business and bottom lines. So a denial is in their own self-interest even if it’s not ultimately in the best interest of consumers.”
The report also shows how “incredibly hard” it is to detect hardware hacks, Gold added. “Who knows how many other undetected chip-based or other hardware-based hacks there are,” he wrote. “With so much of the high-tech manufacturing supply chain taking place in China, it’s almost impossible to fully assert control over the products we contract them to build, even if ultimately sold by U.S. companies.”
This type of hardware hack is much more difficult to pull off than infiltrating a network via software. It requires a deep product-design understanding and being able to manipulate components inside the factory. And even after the hardware has been compromised, these servers still have to make it through the supply chain to their intended location.
“Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” Joe Grand, a hardware hacker and the founder of Grand Idea Studio, told Bloomberg. “Hardware is just so far off the radar, it’s almost treated like black magic.”