Many US companies, including Amazon and Apple, have been the victims of a clever supply chain attack that resulted in compromised hardware (servers) being installed at some of their facilities, an explosive report by Bloomberg claims.
The compromised servers are by Portland-based Elemental Technologies and were assembled by San Jose-based company Super Micro Computer (aka Supermicro). The compromised motherboards were allegedly assembled by four subcontracting factories in China.
According to the report, which cites anonymous US national security officials and Apple and Amazon insiders, the servers’ motherboards were booby-trapped with minuscule microchips that would contact computers controlled by the attackers once they were put to work in data centers. These hardware implants would also make it possible for attackers to deliver modifications and malicious code over and over again.
It is claimed that the discovery of these microchips was made both by Amazon and Apple in 2015, who informed the FBI about it, and an investigation was mounted into the matter by the U.S. intelligence agencies and the FBI.
U.S. intelligence operatives allegedly hacked the computers the implants were contacting and discovered that the booby-trapped servers were in use in almost 30 U.S. companies and some government data servers.
The report claims that operatives from a unit of the People’s Liberation Army inserted the microchips during the manufacturing process, by bribing and threatening the plant managers.
Amazon and Apple deny the claims
Amazon and Apple have emphatically denied the claims made in the report, and Apple went as far as to say that they “have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.”
Supermicro said that they “are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard.” China’s Ministry of Foreign Affairs also refuted claims that they are involved in this supply chain attack.
The FBI and the Office of the Director of National Intelligence declined to comment on the story.
In the meantime, the Twittersphere is awash with speculations and conjectures about whether the report has merit and, if it has, why Amazon and Apple would issue such strong denials.
Some posited that they can’t legally talk about an ongoing investigation, others that confirming it would massively impact the companies’ bottom line. There are likely also plenty of geopolitical reasons for denying the accuracy of the report.