Did Chinese government hackers really plant spy chips in Apple and Amazon servers?
- Summary:
- Bloomberg says Chinese government hackers planted surveillance chips on servers used by Apple, Amazon, and about 30 other companies and agencies. Apple and Amazon deny that it happened.
Supermicro imports pre-built components from China to assemble its servers. If the parts have been infected and then assembled into final products, the seller and customer might never know.
The report says the chips then found their way into the databases of nearly 30 American companies, including Amazon and Apple, a major bank, and a number of government contractors.
If the story is true (we’ll get to that in a moment), it is the most significant supply chain attack known to have been carried out against American companies. The chips allowed the attackers to create a stealth doorway into any network that included the altered machines. A nation-state-level hardware implant of this type could create a stealth backdoor into the most top-secret industrial and military data that might go undetected for years. The report explained:
There are two ways for spies to alter the guts of computer equipment. One, known as interdiction, consists of manipulating devices as they’re in transit from manufacturer to customer. This approach is favored by U.S. spy agencies, according to documents leaked by former National Security Agency contractor Edward Snowden. The other method involves seeding changes from the very beginning.
No country is better positioned to leverage the seeding method than China, which makes 75 percent of the world’s mobile phones and 90 percent of its PCs, according to some estimates. China also has the deep product-design experience and ability to manipulate components inside local factories required to pull off such an extraordinary feat. Most of all, it has the global logistics contracts to ensure that the doctored devices make it to the desired location. Said Chris Moschovitis, president of tmg-emedia, an independent technology consultancy and author of Cybersecurity Program Development for Business: The Essential Planning Guide:
This story takes cybersecurity to a whole new, and terrifying level. I fear that this is just the beginning, as cyberwarfare moves to leverage every possible advantage, and in this case, China can bring the whole world to its knees simply by stealthily infecting--as the article implies--the 90% of hardware it supplies to the world.
The backstory and the denials
According to Bloomberg, the chips were developed by a specialized computer hardware attack unit in the People’s Liberation Army. When the affected servers were switched on, they altered the operating system to accept modifications from remote computers and waited for further instructions and code, allowing hackers to potentially manipulate the server to steal data, contact other servers and alter operations.
The hack was discovered in 2015 by US intelligence services, Amazon during moves by its subsidiary Amazon Web Services (AWS) to purchase streaming video compression firm Elemental Technologies—which used Supermicro chips in 2015, and by Apple, which had reportedly bought around 7,000 Super Micro servers when its security teams discovered the hack.
Amazon, Apple, and Supermicro all issued statements denying the Bloomberg report. Said Amazon:
It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.
Said Apple:
On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
Said Supermicro:
While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard. We are not aware of any customer dropping Supermicro as a supplier for this type of issue.
In response Bloomberg wrote:
The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six U.S. officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.
My Take
So, WTAF is going on here? Somebody either made a major mistake or is lying.
Bloomberg is a huge, well-financed journalism operation with lots of resources and connections to government agencies and corporation. Its reputation is on the line. This is not the kind of story it would make up from whole cloth. The bona fides in the statement above are strong and persuasive, even if anonymous. The company is standing by the story.
On the one hand, the denials from the “victims” are clear and emphatic. Why would they deny a story that was true, or mostly true? I can think of a couple of possible reasons.
- If your products had been compromised in such a spectacular way, would you want your customers to know about it (assuming you’ve already fixed the problem for those who got the infected products)? Your marketing department wouldn’t want to you to broadcast it.
- A nicer possibility is that since the investigation is still going on after three years of work, our intelligence agencies have asked the companies to deny it for the good of the investigation. The statements coming from the DHS and the UK's GCHQ in support of Amazon and Apple's denials would support that theory.
On the other hand, it is conceivable that bad actors have concocted an elaborate lie that has been swallowed whole by Bloomberg. If that theory is right then the damage goes everywhere. The problem comes - who can you trust in a world of fake news?
Me? I’m a “where there’s smoke, there’s fire” kind of guy.