China Reportedly Used Tiny Chips to Hack U.S. Companies

According to a Bloomberg Businessweek cover story today, Chinese spies infiltrated nearly 30 U.S. companies including Amazon and Apple by embedding tiny chips into servers in the technology supply chain. In 2015, malicious microchips were reportedly embedded in servers bound for U.S. companies, which resulted in compromised software used in numerous hardware devices. While the report cites former government officials and “senior insiders” at Apple, both Amazon and Apple — as well as motherboard manufacturer Supermicro and China’s Ministry of Foreign Affairs — have firmly disputed the findings.

The Bloomberg Businessweek cover story claims that AWS hired a third party company to evaluate the security of Elemental Technologies, when Amazon was considering an acquisition for its streaming video service that would become Amazon Prime Video. (Amazon announced its acquisition of Elemental in September 2015.)

“The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression,” claims the report. “These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards.”

Testers reportedly discovered a tiny microchip on the motherboards that was not part of the original design, which Amazon then reported to U.S. authorities. The issue reached beyond potential corporate espionage, since Elemental’s servers were used by numerous government entities including the U.S. Navy, CIA and Department of Defense.

“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” reads part of the Amazon statement, as published by Bloomberg. “It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.”

According to Bloomberg, “The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.”

The report suggests three Apple officials revealed that Apple also discovered malicious chips on the Supermicro motherboards in the summer of 2015. The company was planning “to order more than 30,000 of [Supermicro] servers in two years for a new global network of data centers.”

However, Apple was also adamant in its response: “Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”

Supermicro joins Apple and Amazon in refuting the report: “While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue.”

Today, Supermicro “dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems,” reports Bloomberg. “Its motherboards can be found in made-to-order server setups at banks, hedge funds, cloud computing providers, and web-hosting services, among other places. Supermicro has assembly facilities in California, the Netherlands, and Taiwan, but its motherboards — its core product — are nearly all manufactured by contractors in China.”