China planted ‘spy’ chips in Apple & Amazon servers

A Chinese military unit implanted tiny microchips –no larger than a grain of rice - onto the motherboards of servers used by around 30 US companies including Apple and Amazon, according to a new report by Bloomberg. The alleged scheme would give China unprecedented access to private servers, data and operations.

Background

China and the US have differing views and approaches to cyberspace and policies. Beijing advocates for cyber sovereignty and the right of individual nation states to control their own cyber space and infrastructure without foreign interference. On the other hand, the US promotes a more liberal model that includes open access to the internet and condemnation of government censorship.

In 2015, President Xi Jinping of China and then US President Barack Obama reached a historic agreement on cyber espionage - that neither government would support or conduct cyber-enabled theft of trade secrets or intellectual property. However, as competition between the US and China in trade, business, and technology steadily grew; their cyber and digital strategies have continued to clash.

China has long been known for and linked to prolific cyber espionage activities and intrusions targeting US defense, technology and energy sectors. These cyber espionage efforts led to the creation of the term Advanced Persistent Threat (APT). The category APT originated in the US Defense Department to describe cyber threats presented by sophisticated adversaries that focus on exfiltration of information and persistent access to privileged systems for continued exploitation.

In February 2013, US cybersecurity firm Mandiant – later purchased by FireEye – published an unprecedented report on APT1, a threat group linked to Unit 61398 of the People’s Liberation Army. Since then, several security firms have published evidence on APT groups tied to Chinese military that target US companies in cyber espionage campaigns.

Analysis

Bloomberg Businessweek has reported that a Chinese military unit inserted malicious microchips, as small as a sharpened pencil tip, into computer servers used by about 30 US firms. Citing 17 unnamed intelligence and company sources with knowledge of the “supply chain attack” conducted by China, Bloomberg reports that the chips were developed and planted by a unit of the Chinese People’s Liberation Army.

The chips were disguised to look like inconspicuous components typically found on a circuit board that would be difficult to identify and detect without specialist equipment. These chips modified the way the servers worked and allowed for unfettered access to the operating system’s activities. This potentially allowed attackers to manipulate the server’s operations, stealthily monitor and exfiltrate data, and contact other computers controlled by the attackers to await further instructions and code.

The allegedly compromised hardware was sold by Super Micro, a company based in San Jose, California, that has been dubbed the “Microsoft of the hardware world.” Although Super Micro designs the server hardware in the US, the devices are manufactured in China as many other electronics firms do. The malicious chips were reportedly inserted during the manufacturing process by operatives from the Chinese military unit.

The attack chain was reportedly discovered by US intelligence services in 2015 and the subsequent investigation is still ongoing. Nearly 30 companies including Apple, Amazon, a major bank, and government contractors are among those that purchased these affected servers.

Bloomberg reported that Amazon became aware of the attack as its subsidiary Amazon Web Services (AWS) was making moves to acquire streaming video compression startup Elemental Technologies in 2015. Apple was a key Super Micro customer and had reportedly already purchased about 7000 servers with plans to order over 30,000 more, when its security teams discovered the chips.

Apple, Amazon and Super Micro have denied Bloomberg’s report.

“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” Amazon told Bloomberg. AWS said “at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems.‎”

Apple said, “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.” Meanwhile, Super Micro said it is “unaware of any such investigation.” Bloomberg reports that the companies’ denials are countered by six current and former senior national security officials who had knowledge of the discovery of the chips by US intelligence during the Obama administration, and the investigation which subsequently continued into the Trump administration.

The Chinese government has also denied the report saying: “We hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace.” The report comes amid serious concerns raised about the cybersecurity of Chinese technology at a time when multiple tech giants outsource their manufacturing to the Asian giant. It also comes after the Trump administration placed tariffs on technology components imported from China.

Assessment

Our assessment is that the Bloomberg report adds fuel to concerns raised by countries about foreign intelligence agencies infiltrating government agencies and private firms in the US and the West through supply chain attacks for cyber espionage purposes.

These allegations could spur lawmakers and intelligence in Western nations, particularly the US, to elevate existing rhetoric and take further action against China in light of national security concerns about these products.