Apple and Amazon are strongly refuting a report claiming that Chinese spies infiltrated third-party motherboards used on servers by U.S. companies. If true, the incident would be the largest supply chain attack to have been launched against American corporations, say experts.
According to a Bloomberg report, a China government-affiliated group coerced Chinese manufacturer Super Micro Computer (Supermicro) to insert tiny microchips into its motherboards. Those Supermicro motherboards were then used in servers designed in the United States and ultimately used by more than 30 U.S. companies – including Apple and Amazon, as well as unnamed government contractors and “a major bank.”
Amazon, Apple and Supermicro have all denied all aspects of the report.
“As we shared with Bloomberg Businessweek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems,” an Amazon spokesperson stressed when questioned by Threatpost.
Apple referred Threatpost to a statement it had given Bloomberg, stating: “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”
Bloomberg’s report used at least 17 anonymous sources familiar with the use of the spy chip – including U.S. officials and Apple “senior insiders.”
The goal of the attack was to access an entry point into systems utilized by corporations – and ultimately scoop up confidential data or IP. However, the report said that no consumer data is known to have been taken during the attack.
According to Bloomberg, Apple was a major Supermicro customer up until 2015, when it found malicious chips on the Supermicro motherboards and severed ties with the company the following year. Apple said in its statement that it did so for unrelated reasons.
Amazon, meanwhile, discovered the issue when investigating the products of Elemental Systems – one of the customers of Supermicro – before acquiring the company in 2015, according to the report. Amazon then notified the U.S. government, Bloomberg reported.
Supermicro, which did not respond to a request for comment from Threatpost, said in a statement to Bloomberg that it is not aware of any investigation and has not been contacted by any government agency regarding the matter.
“Every major corporation in today’s security climate is constantly responding to threats and evolving their security posture,” it said in a statement. “As part of that effort we are in regular contact with a variety of vendors, industry partners and government agencies sharing information on threats, best practices and new tools. This is standard practice in the industry today. However, we have not been in contact with any government agency regarding the issues you raised.”
Patrick Moorhead, president of Moor Insights and Strategy, said in a tweet the incident appeared to be a supply chain attack.
“For this to work, the [Printed Circuit Board] PCB gold lines would likely have had to be altered, too, to have the fake power chip communicate with BIOS, memory, storage, or CPU,” Moorhead said in a tweet, suggesting that maybe the power management integrated circuits were hacked, as they lead to the BIOS.
For this to work, the PCB gold lines would likely have had to be altered, too, to have the fake power chip communicate with BIOS, memory, storage, or CPU. I doubt a “blue wire” would have been used as it’s a dead giveaway. PMIC maybe hacked which leads to BIOS. https://t.co/NhFf1J00G3
Regardless, Moorhead said in another tweet, “This incident, real or not, will kick off a flurry of debate on U.S. manufacturing, secure supply chains, OEM vs ODM, network traffic control, secure BIOS, hardware-based software signing, etc.”
Supply chain attacks continue to be a constant source of concern for businesses and tech companies. According to CrowdStrike’s global SupplyChain Survey, nearly 80 percent of respondents believe software supply-chain attacks have the potential to become one of the biggest cyber threats over the next three years – but few organizations are prepared to mitigate the risks.