Supermicro to review hardware for malicious chips, “despite the lack of any proof”

Bloomberg’s extensive report on October 4 claims that the Chinese Government had a plan to infiltrate data of companies like the CIA, Amazon, Apple, just to name a few of the almost 30 companies targeted.

They were able to accomplish this by compromising the supply chain of the American supplier Supermicro adding a tiny microchip into their motherboards.  The chips, according to Bloomberg, would allow the attackers to create “a stealth doorway” into any network that included the altered machines. These would have been able to be inserted during the manufacturing phase in factories from subcontractors in China.

This situation dates back to 2015 when Amazon and Apple discovered such chips in the hardware that was given by the supplier, Supermicro, and reported the incident to the FBI.

While Apple removed all Supermicro servers from its data center and the relationship between the firms ended, Amazon went ahead with an internal investigation and found altered motherboards in their Beijing facilities. They weren’t able to find a way of how to remove the infected equipment without alerting the Chinese government, so they kept it and monitored it.

In 2016, because of a change in Chinese cybersecurity law (that limited foreign cloud companies’ to own data centers in the country) they transferred the control of the data center to a Chinese partner and later sold its infrastructure.

Amazon, Apple and Supermicro have denied the allegations presented by Bloomberg.

“We are confident that a recent article, alleging a malicious hardware chip was implanted during the manufacturing process of our motherboards, is wrong… Despite the lack of any proof that a malicious hardware chip exists, we are undertaking a complicated and time-consuming review to further address the article” said the server and storage manufacturer, Super Micro Computer, in a letter to its costumers published 2 weeks after the allegations.

Also Apple’s CEO, Tim Cook, has gone on record to deny the allegations that his company was under attack by the Chinese government. While on a phone interview with BuzzFeed News he said “There is no truth in their (Bloomberg) story about Apple, they need to do the right thing and retract it.”

This being the first time the company has ever publicly call for a retraction from a news story.

In addition, Cook commented on the lack of evidence Bloomberg has supplied in its claims and how they “turned the company” upside down looking for proof but found nothing.

Apple also put out and statement and a letter to the Congress denying the claims.

Amazon Web Services CEO Andy Jassy, joined Cook in asking Bloomberg to retract the report.

“Tim Cook is right. Bloomberg story is wrong about Amazon, too. They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract.” Jassy said in a tweet quoting the Buzzfeed article with Cook’s interview.

Bloomberg says it’s standing by its report which consists of 17 unidentified sources from government and corporate sources that confirm the manipulation of hardware. Also even publishing a follow-up report.

When they were reached for comment by Buzzfeed they said “Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews… We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”