In a bombshell report published this morning by Bloomberg, reporters Jordan Robertson and Michael Riley tell the story of hacked motherboards making their way into servers used by Amazon, Apple, and hundreds of other customers of motherboard supplier Supermicro.
Essentially, the report claims that agents of the Chinese government bribed and threatened managers of factories of Supermicro subcontractors in China into allowing the agents to insert malicious chips onto the motherboards that would then provide a beachhead for the infiltration of networks of Supermicro customers.
In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video… In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test, the person says.
Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China…which by some estimates makes 75 percent of the world’s mobile phones and 90 percent of its PCs.
Still, to actually accomplish a seeding attack would mean developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location—a feat akin to throwing a stick in the Yangtze River upstream from Shanghai and ensuring that it washes ashore in Seattle. “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” says Joe Grand, a hardware hacker and the founder of Grand Idea Studio Inc. “Hardware is just so far off the radar, it’s almost treated like black magic.”
But that’s just what U.S. investigators found: The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies.
Today, Amazon published the following emphatic denial:
Today, Bloomberg BusinessWeek published a story claiming that AWS was aware of modified hardware or malicious chips in SuperMicro motherboards in Elemental Media’s hardware at the time Amazon acquired Elemental in 2015, and that Amazon was aware of modified hardware or chips in AWS’s China Region.
As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.
There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count. We will name only a few of them here…
Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners. We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment.
Security will always be our top priority. AWS is trusted by many of the world’s most risk-sensitive organizations precisely because we have demonstrated this unwavering commitment to putting their security above all else. We are constantly vigilant about potential threats to our customers, and we take swift and decisive action to address them whenever they are identified.
Apple has issued its own denial as well.
The Bloomberg article goes on:
The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.
One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is known to have been stolen.
The ramifications of the attack continue to play out. The Trump administration has made computer and networking hardware, including motherboards, a focus of its latest round of trade sanctions against China, and White House officials have made it clear they think companies will begin shifting their supply chains to other countries as a result. Such a shift might assuage officials who have been warning for years about the security of the supply chain—even though they’ve never disclosed a major reason for their concerns.
How believable is this story? Some possible scenarios:
- If it is false, one possibility from a political perspective is that this story was manufactured by someone in the Trump administration or whom is otherwise motivated to advance US protectionist trade policies. This story increases FUD regarding essentially all modern technology infrastructure. However, such an effort would seemingly have required at least somewhat coordinated work of the “17” sources Bloomberg cited.
- If it is true, then why/how could Amazon and Apple plainly deny it? Unless there are logical exemptions in their denials due to intentionally specific choices of language, one possibility is that the PR staff responsible for issuing these denials are not in the loop on what happened. How could that be the case? I don’t know, unless this response is somehow being coordinated at very high levels due to overriding national security concerns.
It seems, at least, unusual to have such a seemingly deeply-reported story from a reputable publication be so flatly denied by Amazon and Apple. There are surely many questions unanswered by the public statements of those involved. Because this is a potential matter of national security, the completeness of information available to the public is likely to be low.
We will follow up if/as additional information comes forth.