Allegedly compromised hardware underpins major financial services infrastructure in the UK
In an extensive 5,000-word investigation spanning both the Obama and Trump administrations and denied outright by every named party but confirmed by six current and former senior national security officials, Bloomberg claimed today that interventions along America’s technology supply chain by Chinese spies resulted in compromised Supermicro hardware reaching almost 30 US companies.
Bloomberg named Amazon and Apple as among the companies affected by compromised Supermicro motherboards; claims rejected outright by both parties. The news wire said it has had 17 sources confirm the story. Supermicro servers are in use in the UK across the financial services and oil and gas sectors, among others.
This is a huge story, apparently well-sourced. *If* the alleged PLA hardware hack played out as described—then we're looking at an intelligence operation of historic proportions https://t.co/Get5cMHVzg pic.twitter.com/bkUUOrrGny
— Thomas Rid (@RidT) October 4, 2018
Bloomberg pointed to Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, “the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small” as having had hardware “seeded” with a malicious microchip by Chinese PLA operatives.
The issue was allegedly identified initially as the result of a AWS security audit, as it began work on a private cloud for the CIA.
Bloomberg reporters Jordan Robertson and Michael Riley wrote: “Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community.”
They added: “During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”
One official said investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and Apple Inc., an allegation Bloomberg says was supported by confirmation from three Apple insiders.
Is Bloomberg's supply chain attack article mistaken? Who knows. Are IPMI and BMCs the spawn of Satan that will keep cyber security a mirage always on the horizon? Definitely. https://t.co/cBsXOhTgjz
— the grugq (@thegrugq) October 4, 2018
“Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.”
“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” Amazon has responded.
“On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple wrote.
“We remain unaware of any such investigation,” wrote a spokesman for Supermicro, Perry Hayes.
UK distributors of Supermicro hardware find homes for it across the financial services sector, where it underpins numerous major data centres. None of those contacted by Computer Business Review was aware of the allegations and declined to respond.