If true, a Bloomberg report published Thursday could document one of the biggest hardware supply chain attacks against American companies.
A bombshell Bloomberg report early Thursday alleges that Chinese hackers compromised servers belonging to two of the world’s most valuable companies, Amazon and Apple, as a means to access confidential data and valuable intellectual property.
If true, it could be the largest nation state corporate espionage campaign ever.
The report alleges that operatives from a unit of the People's Liberation Army, China's military force, placed tiny CPU implants - as small as a grain of rice - on chips placed in server motherboards in China. These motherboards were built into servers by Supermicro, a manufacturer based in San Jose, before ultimately making their way into data centers at dozens of U.S. companies. According to a national security official interviewed in the piece, the attack affected almost 30 companies, including Apple and Amazon, a major bank, and government contractors.
China's goal was "long-term access to high-value corporate secrets and sensitive government networks," according to one government official interviewed by Jordan Robertson and Michael Riley, the Bloomberg reporters behind the story.
The publication says the chips were placed on chips by workers at unnamed subcontracted manufacturing facilities in China. The chips were affixed to the Baseboard Management Controller, a specialized service processor built into the server. The BMCs leverages Intelligent Platform Management Interface, a protocol that provides management and monitoring capabilities for administrators. By obtaining access to IPMI the PLA could take over machines completely, reset it, reinstall the operating system, and so on.
The article claims that both Amazon and Apple were aware of the malicious chips; Amazon in 2015 after a third party company reviewed servers by Elemental, a company Amazon was going to acquire, and Apple in the summer of 2015. For what it’s worth Amazon went ahead with the acquisition in 2015; Apple cut ties with Supermicro in 2016 for unknown reasons, Bloomberg said.
The article, which cites 17 unnamed intelligence and company sources, has received its fair share of criticism over the last 24 hours. Apple, Amazon, and Super Micro Computer were quick to dispute the report Thursday, flat out denying the report in statements published alongside Bloomberg's article.
Apple vehemently denied that it had malicious chips on its network, issuing not one but two statements around the article Thursday. According to Apple it's more likely the publication is confusing their story with another incident involving an infected driver on a Supermicro server the company found in one of its labs in 2016. Apple says that event was accidental and "not a targeted attack against Apple."
Amazon called the report erroneous, and said the company at no time had found any issues with chips in Supermicro motherboards, adding that there are "so many inaccuracies in this article as it relates to Amazon that they're hard to count."
Supermicro, for its part, said it was unaware of any investigation around the topic, nor had it been in contact with any government agency regarding spying or surveillance.
News of the hack coincidentally comes days away from a deadline imposed by Homeland Security Department to the industry on ways the government can better secure the supply chain. The DHS issued a call to action back in August asking for better ways to address risks in the supply chain, specifically those that affect Federal, State, Local, Tribal, and Territorial governments, and Critical Infrastructure owners and operators. The deadline for a response is October 10.
While the veracity of the Bloomberg story isn’t entirely clear yet, if true, it illustrates just how fraught with risk the supply chain can be. Leveraging outside technology in supply chains can complicate an already complex ecosystem but these days it’s almost always necessary, especially in China, where labor and assembly costs tend to be much cheaper.
Amazon said Thursday in its rebuttal that it "investigates all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners."
Conducting audits is laudable but supply chain networks by design necessitate trust and visibility. Afterall, the root of trust has to start somewhere. If the Bloomberg story is true and these these tiny chips were inserted in no-name manufacturing subcontractors in China, perhaps that's not not the strongest root of trust. Without a risk-based approach, one that affords the ability to control and see who has your data, throughout the chain, organizations will continue to be at risk, both financially, and reputationally.