A Friday report from Bloomberg News revealed China was able to spy on American computer systems for a decade by supplying compromised chips to Super Micro Computer Inc. (Supermicro), one of America’s leading motherboard providers.
According to the report, U.S. intelligence agencies were aware of this wide-reaching Chinese espionage program but did not warn either Supermicro or its customers, because they prioritized monitoring China’s surveillance techniques and developing countermeasures against them.
The lengthy Bloomberg report documented the known history of the Chinese espionage scheme, which took advantage of Supermicro’s reliance upon global supply chains to obtain chips for its motherboards at low prices.
“Supermicro is the perfect illustration of how susceptible American companies are to potential nefarious tampering of any products they choose to have manufactured in China. It’s an example of the worst-case scenario if you don’t have complete supervision over where your devices are manufactured,” former FBI official Jay Tabb told Bloomberg.
“The Chinese government has been doing this for a long time, and companies need to be aware that China is doing this, and Silicon Valley in particular needs to quit pretending that this isn’t happening,” he added.
Most of Bloomberg’s other sources for the story were anonymous — over 50 sources in total, both government and private — and the reporters said they were able to back up many of the details they provided with corporate documentation.
Supermicro nevertheless dismissed the Bloomberg report as “a mishmash of disparate and inaccurate allegations” that “draws farfetched conclusions,” arguing government agencies would not continue to purchase Supermicro products if so many federal agencies were convinced China is manipulating the company’s motherboards to conduct espionage.
Bloomberg found quite a few government and private security experts who claimed the government investigated and monitored the presence of malicious chips on Supermicro boards for years. None of them seemed to think Supermicro itself was to blame for any of the malicious activity.
To put it simply, the espionage cases described in the Bloomberg report involve additional chips filled with spyware surreptitiously added to computer boards by Chinese suppliers. The malicious chips quietly transmit data from the compromised computers to servers in China.
Computers from several manufacturers have been compromised with these added chips but, according to Bloomberg’s sources, the Chinese cyber-espionage network was especially vigorous about sabotaging Supermicro boards. Some of the chip-based surveillance was superficial, mapping out network topographies and skimming superficial information instead of attempting to pilfer user data.
Early investigators who became aware of these tactics wondered if the spy chips could be setting networks up for more vigorous hacking expeditions later, or preparing them for sabotage in the event of a conflict between the U.S. and China. According to the report, U.S. intelligence officials decided to keep quiet about the discovery of the spy chips — which were extremely advanced and very difficult to detect — and continue monitoring them, to study their behavior and prepare defensive strategies.
Bloomberg has reported on chip-level spyware penetration in the past, but the new report indicates it was far more widespread than previously believed — the report chronicles dozens of incidents affecting thousands of computers, from 2008 to the present day.
A key point is that government agencies and private security agencies have responded in many different ways to the discovery of these Chinese spy chips, leading to highly variable policies and public statements. Some agency sources speak as if the penetration of Supermicro boards is an open secret within the cyberintelligence community; others insist there are no major security issues with Supermicro products and continue purchasing them for numerous purposes; still others buy computer systems with Supermicro components for some purposes, but restrict them from the most highly sensitive projects.
Some corporate customers say they have been warned about security flaws in certain Supermicro products, and from other companies that do business with Chinese suppliers, while others say they have never been made aware of any such issues. The list of public and private officials who refused to comment when contacted by Bloomberg reporters was as long as the list of sources who did provide information for the story.