China’s Stealth Hack on Supply Chain Is Worst of All

There's no better tale to demonstrate the threat of China's sinister deceit than what Bloomberg Businessweek magazine brought to light in an October article.

Amazon's Web Services division (AWS, their data storage "cloud") was in 2015 looking to buy Elemental Technologies of Portland, Oregon, which develops software to compress massive video files and conform them to different devices for faster transmission. Elemental uses servers assembled by Supermicro Computer in San Jose, California, one of the world’s biggest suppliers of server motherboards. It has these manufactured by subcontractors in China.

As part of due diligence, Amazon sent a server to an outfit in Ontario that securitizes such devices. It found a tiny microchip on the motherboard that wasn't a part of the original board's design. It was hardly bigger than a grain of rice.

Investigators have been able to deduce that the chips, present in all Supermicro boards, were inserted by the Chinese subcontractors, most likely required to do so by the Chinese government or the People's Liberation Army, and that their function is to open a door for an attacker to
pass through into any network to which the server is attacked. Hardware attacks are about access, access to whatever sensitive and secret data was on that network — corporate, government, military, whatever. The infiltration of the tiny saboteur chip is looked upon as the most significant supply chain attack known to have been carried out against American companies.

Hardware hacks are a magnitude more difficult to pull off than software implants, "like witnessing a unicorn jumping over a rainbow" said one hardware hacker. It's "like black magic". Engineers who have analyzed the chip say it appears to alter bits of code on their way to the CPU telling the device to communicate with computers elsewhere on the Internet.

The Portland company's own promotional materials show that its servers process drone and surveillance-camera footage at the Department of Defense data centers, transmit feeds of airborne missions to Navy warships, and are used inside government buildings for videoconferencing. NASA, both houses of Congress, and the Department of Homeland Security have been customers. Some 30 companies, including banks, government contractors, even Apple, are known to have been affected. Apple had planned to buy over 30,000 servers from Supermicro, but it, too, spotted the chip and severed ties with the company.

With some 900 customers in about 100 countries, Supermicro is an industry giant few have heard of, dominating the $1 billion international market for special purpose motherboards in uses ranging from MRI machines to weapon system, and shipping millions into the U.S. yearly, all fabricated in China.

What is worse about this story according to someone who anonymously informed Bloomberg Businessweek is that in the first half of 2014, intelligence officials notified the White House that China’s military was preparing to insert chips into Supermicro motherboards. But the Obama administration was concerned that issuing a warning could cripple a major American hardware maker.

Bloomberg Businessweek has 17 people who attest to its truth, including two who worked inside AWS and one at Apple, who say that both Amazon and Apple reported their discovery of the embedded chips to the FBI in 2015. Yet Amazon, Apple, and Supermicro all deny the story. The magazine says a top-secret probe continues to this day. Neither the FBI nor the Office of the Director of National Intelligence, representing the CIA and NSA would comment.