CHINA CHIP SHOT
Planted spyware inside US computer products: report
China inserted malicious microchips into computer hardware it manufactured for use by about 30 American companies — including Apple and Amazon, as well as for government agencies — in a brazen effort to steal US technology secrets, according to a report.
Bloomberg Businessweek cited 17 unidentified intelligence and company sources as saying Chinese spies used the tiny surveillance chips to create a “stealth doorway” into US servers whose motherboards were assembled in their country.
No consumer information was known to have been pilfered, according to Bloomberg, which reported that Amazon first alerted US authorities to the breach and that a top-secret probe by the US government, including the FBI, remains open.
According to the report, in 2015, Amazon began evaluating a video software startup called Elemental Technologies as part of the e-commerce giant’s efforts to expand its streaming service, now called Amazon Prime Video.
Amazon Web Services, which was building a super-secure cloud for the CIA, hired a thirdparty company to study Elemental’s security, a source familiar with the process told Bloomberg.
California-based SuperMicro, one of the world’s largest suppliers of motherboards, assembled servers for Elemental, which sent some of the equipment to Ontario, Canada, for the security company to test.
“Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design,” according to Bloomberg.
“Amazon reported the discovery to US authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of SuperMicro customers.”
Several sources told Bloomberg that investigators discovered that the minuscule chips had been inserted by a unit of the People’s Liberation Army in factories run by manufacturing subcontractors.
On Thursday, Amazon and Apple denied the Bloomberg report.
“It’s untrue that AWS knew about a supply-chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” Amazon told Bloomberg in a statement.
Steve Schmidt, chief information security officer for AWS, said in a separate statement, “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems.”
He also denied that the company “engaged in an investigation with the government.”
In its response, Apple told Bloomberg that it “has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
“Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement,” it added.
Beijing didn’t directly address questions about manipulation of SuperMicro servers, issuing a statement that read, in part, “Supply-chain safety in cyberspace is an issue of common concern, and China is also a victim.”
The FBI and the Office of the Director of National Intelligence declined to comment to Bloomberg.