US investigators have found a series of Chinese-planted microchips in the computers of almost 30 companies, including Apple and Amazon.
In what’s being described in a revealing report by Bloomberg as a “supply chain compromise”, the reports centre on San Jose-based hardware company Super Micro Computer (Supermicro).
Supermicro currently sells more server motherboards than any other company.
It is alleged that microchips were inserted onto Supermicro motherboards by a Chinese military unit in the factories used by the company during the manufacturing process.
Like many hardware companies, Supermicro outsources manufacturing to China.
The compromised motherboards were then assembled into servers and distributed to Supermicro’s customers, which included Apple and Amazon.
According to the report, in 2015 Amazon hired a third-party company to complete a security check on Elemental Technologies – a software start-up the ecommerce giant was weighing up acquiring.
During this check, the unfamiliar microchips were discovered on the Supermicro motherboard, prompting Amazon to report the believed espionage to authorities.
The government’s ensuing “top-secret probe”, which according to Bloomberg is still open, has led investigators to believe the microchips provided “a stealth doorway into any network that included the altered machines.”
It also reports that Apple – which had engaged with Supermicro to order more than 30,000 servers to create a new network of data centres – found the chips in 2015 and cut ties with the hardware company.
The Bloomberg report cites six (unnamed) current and former national security officials confirming the discovery of the chips as well as three Apple insiders and other intelligence and government sources.
There is a total of 17 unidentified sources used in the story.
“The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information,” write the journalists, Jordan Robertson and Michael Riley.
Deny, deny, deny
Perhaps due to the lack of on-record sources used in the story, the response from the companies implicated in the report has been to deny all claims.
“Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found,” said Supermicro in a statement.
Amazon Web Services CISO, Steve Schmidt, echoed Supermicro, issuing a strong statement against the Bloomberg report.
“There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count,” he said. “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems.”
Apple also rubbished the claims, suggesting the whole thing was perhaps a mix-up.
“We are deeply disappointed that in their dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed,” it said.
“Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Supermicro server in one of our labs.
“That one-time event was determined to be accidental and not a targeted attack against Apple.”
Despite the strong denials, Supermicro’s shares dropped almost 60% on the U.S. stock market on Thursday, while Apple and Amazon saw 1.8% and 2.2% dips respectively.
The story comes after the CIA, FBI and NSA issued customers a warning against buying Chinese-made Huawei or ZTE phones due to security concerns.