In what could be the most important US national security story of the decade, a new report alleges that China has been installing tiny microchips, roughly the size of a grain of rice, on the motherboards of countless servers imported into the US.
The revelations come from a new report by Bloomberg, which states that the clandestine microchips were first found by Amazon in 2015, which in turn reportedly alerted America’s intelligence agencies.
Amazon Web Services (AWS), which has a contract with the CIA, was investigating a company called Elemental Technologies for a potential acquisition when it allegedly uncovered the microchips. Elemental’s products, along with that of a company called Supermicro, are used by everyone from the US Navy to the CIA.
“Think of Supermicro as the Microsoft of the hardware world,” a former US intelligence official told Bloomberg. “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”
The idea that China has been installing mini-spies into American electronics has long been a fear of the American intelligence community, as the US’s New Cold War adversary produces most of the gadgets used in the West. China manufactures as much as 75 per cent of the world’s smartphones and perhaps as much as 90 per cent of the world’s personal computers, according to the report.
From Bloomberg Businessweek:
The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what US officials now describe as the most significant supply chain attack known to have been carried out against American companies.
The exploit reportedly hit nearly 30 American businesses, including Apple, “a major bank”, and a host of government contractors. The investigation into the massive security breach reportedly remains open to this day.
Apple, for its part, has denied Bloomberg’s reporting, issuing a new statement to CNBC last night:
We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed. Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.
Amazon also challenged Bloomberg’s report, saying, “It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental.”
How could these microchips have hidden in plain sight? By looking like something else entirely.
Again, from Bloomberg:
The chips on Elemental servers were designed to be as inconspicuous as possible, according to one person who saw a detailed report prepared for Amazon by its third-party security contractor, as well as a second person who saw digital photos and X-ray images of the chips incorporated into a later report prepared by Amazon’s security team. Grey or off-white in colour, they looked more like signal conditioning couplers, another common motherboard component, than microchips, and so they were unlikely to be detectable without specialised equipment. Depending on the board model, the chips varied slightly in size, suggesting that the attackers had supplied different factories with different batches.
There have been growing tensions between China and its New Cold War foes such as the United States, Australia and Germany. Best Buy has stopped selling Huawei devices over fears about the safety of those products, and China has been shut out of bidding on lucrative 5G contracts in the United States. The US government even claims that China is using LinkedIn to recruit Americans for spying.
In an email to Gizmodo for this story, Apple pointed us to the denial it provided Bloomberg. Likewise, Amazon reiterated its earlier comment:
As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems.
Amazon Web Services then sent Gizmodo an even stronger denial, insisting, “we have not engaged in an investigation with the government.” The company has also written an entire blog post refuting the claims. So make of that what you will.