An explosive report has accused Chinese intelligence agencies of sneaking a tiny chip into servers assembled in China for US chip maker Supermicro that introduced hardware vulnerabilities enabling stealth access to any network using the altered devices.
Bloomberg has reported, citing multiple sources, that US investigators have found evidence of an unprecedented supply chain attack on servers used by companies including Amazon and Apple.
The allegedly compromised components were used by video streaming company Elemental Technologies for its services compressing video files and optimizing them for different devices.
According to the report, a third party company hired by AWS to scrutinize Elemental's security in advance of Amazon's potential acquisition of the company discovered a tiny microchip in a sample server that was not part of the original design. Apple was also reportedly a major Supermicro customer, using its components for a global network of data centers, the report adds.
This chip allegedly allows for the creation of a stealth doorway into any network using the altered servers. The investigation reportedly subsequently found evidence that the chips had been inserted by four subcontractors of Supermicro's primary manufacturers for its motherboards, which are based in Shanghai and Taiwan.
Interactions between Chinese officials, manufacturers and middlemen in China intercepted by investigators suggest that middlemen offered bribes and threats to coerce the subcontractors to insert the chips on behalf of a PLA unit specializing in hardware attacks, the report claims.
But Amazon, Apple and Supermicro have all subsequently released statements challenging the report. Apple has been particularly firm in its denial of the report, stating that the company has repeatedly found “absolutely no evidence” to support Bloomberg's claims, and has consistently provided statements refuting almost all aspects of the story as it relates to Apple.
Supermicro has also stated that it is unaware of any investigation and has not been contacted by the government, while China's Ministry of Foreign Affairs has insisted that the nation “is a resolute defender of cybersecurity” and that supply chain security is a concern of all governments.