Chinese spies have infiltrated the supply chain for servers used by nearly 30 US companies, including government contractors, Apple, and Amazon, according to an explosive report fromBloomberg Businessweek.
The operation is perhaps the most audacious example of hardware hacking by a nation state ever publicly reported, with a branch of China’s armed forces reportedly forcing Chinese manufacturers to insert microchips into US-designed servers. The chips were “not much bigger than a grain of rice,” reportsBloomberg, but able to subvert the hardware they’re installed on, siphoning off data and letting in new code like a Trojan Horse.
According toBloomberg, Amazon and Apple discovered the hack through internal investigations and reported it to US authorities. The publication says there’s no direct evidence that the companies’ data — or that of users — was stolen or tampered with, but both firms worked quietly to remove the compromised servers from their infrastructure.
Both Amazon and Apple strongly refute the story. Amazon says it is “untrue” that it knew of “servers containing malicious chips or modifications in data centers based in China,” or that it “worked with the FBI to investigate or provide data about malicious hardware.” Apple is equally definitive, tellingBloomberg: “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
“Think of Supermicro as the Microsoft of the hardware world,” a former US intelligence official toldBloomberg. “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”
Bloomberg’s reporting has not been confirmed by on-the-record sources from the US intelligence community. The FBI and the Office of the Director of National Intelligence, representing the CIA and NSA, declined to comment for the story. However, it’s well known that such hardware subversions are a big prize for a nation’s intelligence outfits — the NSA itself has been caught carrying out similar operations. They promise huge rewards in terms of stolen information, but leave behind physical trails, unlike software hacks.
As with other large-scale hacks and security failures, the repercussions of the operation as reported byBloombergwill be difficult to judge. According to the publication, the US intelligence community’s investigation is still ongoing, three years after it was opened.