Amazon, Apple, and Super Micro Computer (known as Supermicro) have found themselves at the centre of a controversy claiming that their servers have been compromised via a hardware-based supply-chain hack seemingly perpetrated by the Chinese intelligence agencies - though all three are denying any such breach.
Late yesterday, Bloomberg Businessweek published an explosive report claiming that server hardware designed by Amazon subsidiary Elemental Technologies and produced by Supermicro in China contained a tiny additional component not found on the schematics. This component, the outlet's sources claim, was discovered by US government agencies to be a processor which 'allowed the attackers to create a stealth doorway into any network that included the altered machines' and which 'had been inserted at factories run by manufacturing subcontractors in China'.
In short, Bloomberg's sources are claiming that the US government and companies using Elemental Technologies' servers, including Amazon and Apple, have been using compromised server hardware in what appears to be a nation-state-level attack. If so, it's the biggest breach in history - and one which the companies have known about since 2015 without ever alerting the public.
Bloomberg's report contains multiple sources and detail up to and including imagery of the claimed hardware component itself. The companies named in the report, however, deny everything: Supermicro says that it has 'never been contacted by any government agencies either domestic or foreign regarding the alleged claims'; Apple, which Bloomberg claims discovered the hardware hack in 2015 and severed its ties with Supermicro soon after, says that 'Apple has never found malicious chips, "hardware manipulations" or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement;' while Amazon says that 'at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government,' while describing the inaccuracies in Bloomberg's report as 'hard to count.'
Bloomberg, which claims to have corroborating information from 17 unnamed sources backing up the report, is sticking to its story; the companies involved, meanwhile, are sticking to theirs, while China's Ministry of Foreign affairs has stopped short of an outright denial by issuing a general statement which says it hopes 'parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace.'
November 22 2019 | 13:00