Apple and Amazon are among U.S. companies and agencies who were targeted and had data stolen by Chinese spies, according to a report by Bloomberg. The data had reportedly been siphoned off via tiny chips inserted on server circuit boards made by a company called Super Micro Computer, reported the news agency.
The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources carried out by Bloomberg.
How Did It Happen?
While Amazon’s Amazon Web Services (AWS) was looking into the acquisition of one Elemantal Technologies. To help with due diligence, AWS, which was overseeing the prospective acquisition, hired a third-party company to scrutinize Elemental’s security, according to one person familiar with the process. The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks. These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards. In 2015, several of Elemantal’s servers were sent to Ontario, Canada, for the third-party security company to test, the person says.
Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.
China was well placed to carry out this kind of attack, said Bloomberg, because 90% of the world's PCs are made in the country.
However, Amazon and Apple both denied there was any substance to Bloomberg's claims.
In its lengthy statement, Amazon said: "We've found no evidence to support claims of malicious chips or hardware modifications."
Apple took Bloomberg to task, saying the agency had contacted it "multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident". "Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them."
It added: "We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg's story relating to Apple."
Super Micro Computer said it was "not aware" of any government investigation into the issue and no customer had stopped using its products because of fears about Chinese hackers.