On Thursday, an article was published in Bloomberg Businessweek claiming that the Chinese armed forces, the PLA, had covertly placed microchips on server motherboards destined for the US government and armed forces networks, as well as top tech companies.
Allegedly, these microchips would give the Chinese military a backdoor to some of the most sensitive information on servers worldwide.
If true, this would constitute a security breach of mammoth proportions.
It’s a strange tale of high stakes international drama. Indeed, the companies, the Chinese government and even the US government all strongly deny that any of this took place. Bloomberg’s version of events, has already been hotly contested.
So, how did this happen? Who was involved? What does this mean for you?
Microchip Hack – Who Was Targeted?
The big tech companies, Apple and Amazon among them, plus the US government, armed forces and intelligence services have garnered the most attention. All have allegedly been targeted by hacks involving Chinese-planted microchips, according to the Bloomberg report. However, the story starts with two smaller hardware suppliers: Elemental and Supermicro.
Elemental is one of the leading companies in network-level video compression. That sounds complicated, but its smarts are one of the main reasons why you can watch HD videos on your phone. It also compresses video communications for the US intelligence services, notably handling the CIA’s drone footage, according to Bloomberg.
Elemental compresses videos for its clients by placing its video compression servers on their internal networks. These servers were manufactured a US company called Supermicro. Bloomberg claims that, despite operating out of San Jose, CA, it has strong cultural ties to China, having been founded by a Taiwanese migrant to the US, and continues to be staffed by Chinese and Taiwanese natives. However, these look like incidental facts rather than anything more substantial.
In 2015, Amazon looked into acquiring Elemental to facilitate the creation of its on-demand video service – now known as Amazon Prime.
During its due diligence, Amazon hired a third-party company in Ontario to assess the security of Elemental’s servers. This security assessment “found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design”, according to Bloomberg. This was the claimed malicious PLA-planted chip.
How Were The Chips Planted?
Cybersecurity is a complicated business. Hacking incidents can be wildly complex, filled with jargon and complicated terms. However, this incident is in some ways much more straightforward, and much more concerning as a result.
China is the world’s leading producer in electronics. It has been since US companies began outsourcing manufacturing to the cheaper Chinese market in the 90s. As a result, most of the hardware that goes into running company networks and servers is manufactured in China.
Supermicro, for its part, outsources its server manufacturing to companies operating in Shanghai and Taiwan.
Bloomberg’s report is based on multiple anonymous sources, which it claims are high-ranking US officials. According to these sources, the CIA had been monitoring an element within the PLA which specialized in hardware attacks:
“The existence of this group has never been revealed before”, but one official says, “We’ve been tracking these guys for longer than we’d like to admit.”
This group is suggested to operate in the shadows, using Chinese officials, middlemen and indirectly associated people to the PLA to infiltrate factories.
“As the agents monitored interactions among Chinese officials, motherboard manufacturers, and middlemen, they glimpsed how the seeding process worked. In some cases, plant managers were approached by people who claimed to represent Supermicro or who held positions suggesting a connection to the government. The middlemen would request changes to the motherboards’ original designs, initially offering bribes in conjunction with their unusual requests. If that didn’t work, they threatened factory managers with inspections that could shut down their plants. Once arrangements were in place, the middlemen would organize delivery of the chips to the factories.”
These motherboards would then be sent back to Supermicro, then onto Elemental who would add their code to the servers, and would then be sold to clients including the CIA.
The size of the malicious microchip
When Did The Microchip Hack Happen?
When Amazon received the results of the Elemental server security assessment in the “late Spring of 2015”, it alerted the US government immediately, according to Bloomberg.
However, Bloomberg claims that the US intelligence services were aware of specific potential threats to motherboard manufacturing:
“American intelligence sources were reporting that China’s spies had plans to introduce malicious microchips into the supply chain. The sources weren’t specific, according to a person familiar with the information they provided… But in the first half of 2014, a different person briefed on high-level discussions says, intelligence officials went to the White House with something more concrete: China’s military was preparing to insert the chips into Supermicro motherboards bound for U.S. companies.”
Yet, the security services chose to do nothing, as “issuing a broad warning to Supermicro’s customers could have crippled the company” and “it wasn’t clear from the intelligence whom the operation was targeting or what its ultimate aims were. Plus, without confirmation that anyone had been attacked, the FBI was limited in how it could respond.”
Apple, for its part, found the suspicious chips inside the Supermicro servers around “May 2015” according to Bloomberg’s sources. Like Amazon, Apple reported the discovery to the FBI but “kept details about what it had detected tightly held, even internally.” Amazon, on the on the other hand, was more forthcoming and gave the FBI access to the compromised hardware.
For context, President Obama and China’s President, Xi Jinping, made an agreement in September 2015, that neither country would conduct cyber theft of intellectual property. However, only weeks after this agreement was announced, the US government was talking to tech companies about the security threat:
“The US government quietly raised the alarm with several dozen tech executives and investors at a small, invite-only meeting in McLean, Va., organized by the Pentagon. According to someone who was present, Defense Department officials briefed the technologists on a recent attack and asked them to think about creating commercial products that could detect hardware implants. Attendees weren’t told the name of the hardware maker involved, but it was clear to at least some in the room that it was Supermicro, the person says.”
So why is this coming out now? It’s difficult to say, but Bloomberg claims that it has been investigating the case for over a year, so it might have simply been the result of a tip off, or a leak which has taken this long to fully investigate and understand.
Why Did This Happen?
As we mentioned above, this is different from most of the hacking stories you hear about. Most are software-level hacks, involving an exploit or a finding a vulnerability in a system. However, these hacks can be easily spotted and easily countered.
Hardware-level hacks, like the one reported in Bloomberg, allow much greater access to the system or network and in this case would have allowed unparalleled access to the data passing through the server:
“Officials familiar with the investigation say the primary role of implants such as these is to open doors that other attackers can go through. “Hardware attacks are about access,” as one former senior official puts it. In simplified terms, the implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips’ operation say. This happened at a crucial moment, as small bits of the operating system were being stored in the board’s temporary memory en route to the server’s central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.”
However, it’s unclear exactly what sort of information the hackers wanted to obtain. Clearly, access to major companies servers’ could help facilitate a cyber attack – and experts have warned that China could do this. Access to the US defence and intelligence servers could also be advantageous but, again, we’ve no specific information on what they would do with this data.
Crucially, there’s no evidence that any governmental or consumer data was taken.
Does This Matter For You?
If we can trust Bloomberg’s reporting (more on that in a moment) then yes, this does matter to you.
Firstly, it raises the suspicions around Chinese-made goods even further. Following the US government’s ban on Huawei and ZTE devices being sold in the US due to security concerns, this incident would prove that the Chinese government does have the ability to compromise private sector manufacturing.
Secondly, given the current trade war between China and the US, this kind of attack would likely cause President Trump to order tariffs on more goods as a result. This would lead to greater price hikes for consumers and, potentially, more US businesses dependent on Chinese-made parts biting the bullet.
Can We Trust Bloomberg’s Report?
Now, here’s the rub. The companies involved in the case have all issued strongly-worded responses to Bloomberg, when asked for comment by the publication. Supermicro, Apple and Amazon all stated that they had no knowledge of the affected devices. Even China’s Ministry of Foreign Affairs responded to the business publication claiming that it is as much a victim of supply chain safety issues as anyone else. You can read all of their statements here.
Apple and Amazon also issued separate press releases following the publication of Bloomberg’s article. Apple’s is titled ‘What Businessweek Got Wrong About Apple’ and states:
“The published Businessweek story also claims that Apple “reported the incident to the FBI but kept details about what it had detected tightly held, even internally.
In November 2017, after we had first been presented with this allegation, we provided the following information to Bloomberg as part of a lengthy and detailed, on-the-record response. It first addresses their reporters’ unsubstantiated claims about a supposed internal investigation:
“Despite numerous discussions across multiple teams and organizations, no one at Apple has ever heard of this investigation. Businessweek has refused to provide us with any information to track down the supposed proceedings or findings. Nor have they demonstrated any understanding of the standard procedures which were supposedly circumvented. No one from Apple ever reached out to the FBI about anything like this, and we have never heard from the FBI about an investigation of this kind — much less tried to restrict it.”
Amazon’s statement is titled “Setting the Record Straight on Bloomberg BusinessWeek’s Erroneous Article”:
“As we shared with Bloomberg BusinessWeek multiple times over the last couple of months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government.
There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count.”
If these responses from Apple and Amazon are true, it would throw the entire Bloomberg article into question. For its part, Bloomberg has defended its reporting:
“Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks… We stand by our story and are confident in our reporting and sources.”
Clearly, the reliance on anonymous sources is far from ideal, but Bloomberg said in its original article that this was to protect their safety and privacy. But even, if half of the story is true, it’s still a big, big deal.
Update: 5 October 2018
The National Cyber Security Center, a unit of Britain’s digital intelligence agency, GCHQ, made a statement supporting Apple and Amazon:
“We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS [Amazon Web Services] and Apple… The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us.”
Update: 8 October 2018 AM
The Department of Homeland Security in the US issued a statement on the Bloomberg report on 6 October, again supporting Apple and Amazon:
“The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story.”
Update: 8 October 2018 PM
Apple issued another strongly worded rejection of Bloomberg’s claims in a letter to four US Congressmen. You can read the letter here.
“We want to assure you that a recent report in Bloomberg Businessweek alleging the compromise of our servers is not true. You should know that Bloomberg provided us with no evidence to substantiate their claims and our internal investigations concluded their claims were simply wrong… Ever since we were first contacted by Bloomberg’s reporters in October 2017, we have workded diligently to get to the bottom of their allegations.
While the story was being reported, we spoke with Bloomberg’s reporters and editors and answered any and all of their questions. We methodically dispelled the often-shifting nature of their claims. While we repeatedly asked them to share specific details about the alleged malicious chips that they seemed certain existed, they were unwilling or unable to provide anything more specific than vague secondhand accounts.”
Want to know more about China, tech and the West?