Among companies that used Supermicro's server motherboards with embedded chips – Apple and Amazon
Bloomberg Businessweek revealed details of the corporate espionage conducted by China back in 2015. A tiny microchip, not larger than a tip of a pen, was found hidden in Supermicro's server motherboards that were used by nearly 30 American companies, among which were largest internet retailer Amazon and tech giant Apple.
Initially, motherboards were designed by an American IT company Super Micro but were altered by government-affiliated groups during the manufacturing process in China. It allowed spies to enter major U.S. intelligence and military agencies (People’s Liberation Army), major banks, as well as many American business internal servers and conduct excessive spying.
According to Bloomberg, hardware-based cyber attacks are much more devastating:
This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.
The “hardware hack” was detected in 2015
Amazon began to communicate with Elemental Technologies in 2015 to help expand its video service, today known as Amazon Prime Video. A third-party security agency was hired to conduct several checks on Elemental's security, and they immediately found some issues, which warranted a further investigation, leading to the malicious microchip discovery.
Upon investigation, the team discovered that the chips were disguised and looked more like signal conditioning coupler (which made it harder to detect, unless a specialized equipment is used) and slightly varied in size, depending on the batch that the sample was taken from. This fact automatically leads to the conclusion that the attackers have supplied several different motherboards batches.
Since the compromised device was exceptionally small, its functionality was also small, but, in fact, highly significant. The chip was programmed to communicate with several computers that were packed with more sophisticated code and as well preparing the device to be able to accept that code.
According to the report, hackers could accomplish their goals quickly with the help of compromised chip, as it let them alter how the device functioned.
Rumors and speculations. Are Bloomberg reporters wrong?
The announcement claims that Amazon and Apple, after finding out about the compromised devices, reported the incident to the U.S. authorities back in 2015. However, both companies deny that they had any knowledge about the security incident, with Amazon claiming that they never detected hardware modifications:
We’ve re-reviewed our records relating to the Elemental acquisition for any issues related to SuperMicro, including re-examining a third-party security audit that we conducted in 2015 as part of our due diligence prior to the acquisition. We’ve found no evidence to support claims of malicious chips or hardware modifications.
Apple also wrote Bloomberg with the similar statement:
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
As a further matter, Super Micro claimed that they have never been contacted by any government officials due to this matter and “are not aware of any customer dropping Supermicro as a supplier for this type of issue.”
Finally, the Chinese Ministry of Foreign Affairs also said that the country is a defender of cybersecurity and did not conduct such an operation. The spokesperson also noted that China offered International code of conduct for information security back in 2011, ending in an Obama's and Xi Jinping's cyber pact in 2015.
It is hard to tell which side is right because Bloomberg cited 17 unnamed sources that allegedly dealt with the incident. Besides, all the parties involved deny the allegations. However, this story provides some brilliant material for conspiracy theorists.