October 4, 2018 Ready for information about what may be one of the largest corporate espionage programs from a nation-state? The Chinese government managed to gain access to the servers of more than 30 U.S. companies, including Apple, Bloomberg reports that U.S-based server motherboard specialist Supermicro was compromised in China where government-affiliated groups are alleged to have infiltrated its supply chain to attach tiny chips, some merely the size of a pencil tip, to motherboards which ended up in servers deployed in the U.S.
The goal, Bloomberg said, was to gain an entry point within company systems to potentially grab IP or confidential information. While the micro-servers themselves were limited in terms of direct capabilities, they represented a “stealth doorway” that could allow China-based operatives to remotely alter how a device functioned to potentially access information.
US officials have shared details of a widespread hardware hack which saw Chinese spies infiltrate 30 American companies, including Amazon and Apple, in 2015 by planting rice-sized computer chips onto their server motherboards which gave hackers access to sensitive consumer and government data.
Once aware of the program, the U.S. government spied on the spies behind the chips but, according to Bloomberg, no consumer data is known to have been stolen through the attacks. Even still, this episode represents one of the most striking espionage programs from the Chinese government to date.
The story reports that the chips were discovered and reported to the FBI by Amazon, which found them during due diligence ahead of its 2015 acquisition of Elemental Systems, a company that held a range of U.S. government contracts, and Apple, which is said to have deployed up to 7,000 Supermicro servers at peak.
At the time of the attack, there were 7,000 Supermicro servers in use by Apple and many were facilitating its Siri voice assistant function, according to the report.
Bloomberg reported that Amazon removed them all within a one-month period. Apple did indeed cut ties with Supermicro back in 2016, but it denied a claim from The Information which reported at the time that it was based on a security issue.
Amazon, meanwhile, completed the deal for Elemental Systems — reportedly worth $500 million — after it switched its software to the AWS cloud.
Supermicro, meanwhile, was suspended from trading on the Nasdaq in August after failing to submit quarterly reports on time. The company is likely to be delisted once the timeframe for an appeal is over.
Supermicro is one of Silicon Valley’s most prolific hardware manufacturers and is the country’s largest supplier of motherboards. It is the third largest supplier in the world.
All three companies suffered losses on Thursday when the news broke. Amazon and Apple’s stock prices dipped by up to two percent.
No data is believed to have been stolen and the other 28 companies affected were not named.
The servers made their way into AWS data centers in Beijing (an AWS data center is shown above in a promotional image) and Apple data centers around the world, according to the US government officials and employees.
Its motherboards are built mostly in its own facilities in Taiwan and China but in 2015, it had been outsourcing to four Chinese subcontractors when demand for its products overwhelmed its own operations.
It was in these subcontractor factories that Chinese military spies posed as members of Supermicro or governmental officials and ordered the manufacturers to include the tiny chip in the motherboards.
No consumer data was stolen, the officials say, but the threat the chips posed was extraordinary.
Once a server was turned on, the chips operated almost like a Trojan Horse by disarming the server’s security capabilities and granting access to hackers overseas.
The chips could communicate with the hackers’ computers and slip new code onto the servers without detection.
US intelligence officials became aware of the plan in 2014 while it was still being conceived but they were unable to act because they did not know who among Supermicro’s customers was being targeted.
They did not know about the subcontractor factories or their role in it and they did not want to warn the company and its customers because it would have crippled them financially with little proof of a real hack.
In 2015, however, both Amazon and Apple discovered the breach for themselves and reported it, the insiders say.
Amazon handed over the compromised hardware to be examined, the officials say, and the investigation is still continuing to this day. Apple only alerted the government to it but did not give over the equipment, it was claimed.
The US officials cited by Bloomberg emphasized the scale of the attack by likening Supermicro to Microsoft to illustrate how widespread its reach is.