China Snuck Chips Into CIA, U.S. Military, Commercial Servers Leaving Them Open To Hacks: Report

If accurate, this would be an unprecedented security risk and we may be hearing about more hardware tampering in the future.

Supermicro

A new report is alleging the Chinese government directly interceded to insert small microchips into motherboards from a company called Supermicro, that are in use in servers everywhere from the adult film industry to U.S. military and U.S. Intelligence Community data centers, which make them vulnerable open them up to remote hacks. If the claims turn out to be true, it would be an intelligence operation of historic proportions that would have far-reaching and long-lasting ramifications.

On Oct. 4, 2018, Bloomberg Businessweek published its story, which is the culmination of years of investigative work and cites nearly 20 anonymous sources from both the U.S. government and private companies reportedly involved in the affair. The piece says that American authorities first became aware of the existence of the chips in 2015, that the classified probe is still ongoing, and that U.S. officials have identified an unspecified unit of the People’s Liberation Army (PLA) as being responsible for sneaking the malicious hardware into the servers.

“Think of Supermicro as the Microsoft of the hardware world,” a former U.S. intelligence official told Bloomberg. “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”

By 2015, the San Jose-based firm had sold thousands of servers to more than 900 customers in around 100 countries. That the customer base includes the Central Intelligence Agency, various elements of the U.S. military, the Department of Homeland Security, NASA, and the U.S. Congress, as well as big-name tech firms such as Apple.

The basic concept behind the alleged plan is relatively straightforward. The PLA unit in question allegedly infiltrated Supermicro’s China-based subcontractors who actually make the motherboards and added its own hardware, reportedly no bigger than a grain of rice or the tip of a pencil.

These chips themselves don’t do much on their own, but what they do is immensely important. The small amount of computer code they contain instructs the completed servers to be open to outside modifications and to be ready to receive further code from other computers remotely, creating a backdoor for hackers to access the information they contain. 

It could potentially have other functions, as well, including acting as a remotely-operated kill-switch to just shut down a system entirely on command. Hackers could also potentially use it as a gateway to feed false or confusing information into a target system, as well.

These types of threats is a long-standing security concern. Just in August 2018, President Donald Trump signed a bill into law that makes it illegal for U.S. government agencies to purchase devices from Chinese firms Huawei and ZTE Corp, over fears that the Chinese government might seek to tamper with them. The U.S. military had temporarily imposed similar restrictions on small drones from China-based company DJI over security concerns in 2017.  

USMC

The U.S. military stopped using DJI drones, such as this Phantom, for a time in 2017 over fears that they could be scooping up sensitive information and sending it back to the Chinese company.

Chinese hacking, or attempts to hack, private companies and government agencies are also well established at this point. In June 2018, The Washington Post reported that China had stolen information on a highly-classified anti-ship missile known as Sea Dragon from a U.S. government contractor’s computer system. There is no evidence as yet to indicate that this was as at all related to the hardware tampering Bloomberg has described.

But implementing such a plan to exploit the actual hardware in specific systems is reportedly extremely difficult, with so many opportunities for authorities and private security experts to uncover the scheme. Intelligence agencies and security experts have dismissed the likelihood that it could occur on as grand a scale as Bloomberg’s story suggests.

“Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” Joe Grand, a hardware hacker and the founder of Grand Idea Studio Inc., explained to Bloomberg. “Hardware is just so far off the radar, it’s almost treated like black magic.”

It’s not entirely clear when the chips first began appearing Supermicro’s servers or whether the Chinese tried at all to focus their efforts on hardware bound for specific destinations. The size and scope of the American company's customer base would have made it a particularly attractive target for China's intelligence services.

Vmenkov via Wikimedia

The provincial offices of China's Ministry of State Security, the country's main internal and external intelligence agency, in Wuhan.

The issue reportedly only became apparent in 2015 after Amazon sent systems a company called Elemental had produced, which included Supermicro servers, for a deep security inspection, according to Bloomberg. Amazon Web Services was looking to acquire Elemental, which specialized in hardware to support online video-streaming services, to help with its own projects, such as Amazon Prime Video.

The unnamed third-party security firm located the chips, after which Amazon reportedly informed the Federal Bureau of Investigation, prompting the still ongoing investigation. One of Bloomberg’s anonymous sources said that U.S. officials identified at least 30 private companies, including Apple, that had the sabotaged servers.

It is important to note, however, that Amazon, Apple, and Supermicro have all vociferously and publicly denied Bloomberg’s reporting categorically. The three companies say they have never located a piece of malicious hardware in the servers, contacted the U.S. government about such an issue, or are aware of any investigation. The Chinese government, not surprisingly, issued a vague and indirect response when the outlet asked for comment.

That being said, in 2016, Apple did stop buying products from Supermicro entirely, citing a security incident it said was unrelated to any hardware tampering. In August 2018, the Nasdaq stock market index suspended trading in shares of the company citing irregularities in its filings with the Securities and Exchange Commission.

Chinatopix via AP

An Apple Store in Shanghai, China. Apple is reportedly one of the companies that ended up with the compromised motherboards.

It is also important to point out that this story has emerged just as President Donald Trump’s Administration has sought to impose restrictions on the importation of Chinese-made computer hardware as part of a rapidly escalating trade war. Tensions between the two countries have been steadily escalating as a result of other disputes, including the status of the contested South China Sea, American military assistance to Taiwan, and Chinese information operations that are reportedly seeking to sway public opinion against Trump in the United States.

“Beijing is employing a whole-of-government approach, using political, economic, and military tools, as well as propaganda, to advance its influence and benefit its interests in the United States,” Vice President Mike Pence said in a speech at the Hudson Institute think tank on Oct. 4, 2018. “Worst of all, Chinese security agencies have masterminded the wholesale theft of American technology – including cutting-edge military blueprints.”

So, there is a possibility that Bloomberg’s sources have been seeking to push this narrative as part of the U.S. government’s growing criticism of China. On the other hand, the outlet says it spoke with individuals with insider knowledge of Apple and other private companies involved in the microchip affair. The reported investigation into the security threat dates back to President Barack Obama’s Administration, as well, when relations with the Chinese might have been cool, but not nearly as tense as they are now. 

Given the highly sensitive nature of the situation, Amazon, Apple, and Supermicro may not be able to publicly comment on the ongoing investigation, even if they wanted to. Of course, if that were the case, they could have simply declined comment rather than issue their very explicit and detailed denials.

In addition, the hardware seeding operation would have come after a massive Chinese counter-intelligence campaign, starting in 2010, which reportedly put a chill on CIA activities in the country, too. China could easily have seized on that situation as a prime opportunity to try and see if it was possible to infiltrate technology supply chains on a large scale.

Regardless of the actual specifics of the situation and whether or not this malicious hardware threat was ever as real as Bloomberg's sources contend, the implications are clear for both private industry and the U.S. government. In recent years, American firms have steadily subcontracted more and more of the actual manufacturing of components in various electronic devices to firms in China, opening up the possibility of these types of security breaches.

“You end up with a classic Satan’s bargain,” a former U.S. official told Bloomberg. “You can have less supply than you want and guarantee it’s secure, or you can have the supply you need, but there will be risk. Every organization has accepted the second proposition.”

Imaginechina via AP Images

A factory worker in China assembles electronic components.

That position may now be increasingly untenable if there are risks of the vulnerabilities becoming as widespread as Bloomberg’s story suggests. There are no simple, fast, and cost-effective means to inspect motherboards and other components for malicious hardware that the Chinese have allegedly developed. That the tiny components do not do much themselves and contain very little computer code would make it difficult to attribute them to any particular source, further reducing the risks to the attacker.

The U.S. military and the U.S. Intelligence Community have also struggled to combat counterfeit computer chips from China from getting into the supply chain, which presents another possible vector for malicious hardware. The Defense Advanced Research Projects Agency has been working on ways to quickly spot knock-off components, which might also help spot tampering.

“This stuff is at the cutting edge of the cutting edge, and there is no easy technological solution,” an unnamed individual who attended a Pentagon-sponsored meeting to discuss the potential risks of hardware tampering noted to Bloomberg. “You have to invest in things that the world wants. You cannot invest in things that the world is not ready to accept yet.”

With that in mind, it seems hard to imagine that the Chinese, with a significant monopoly on the supply chains for computer and other electronic technologies, would not be interested in trying to leverage that reality for its own benefit. No matter how widespread or not the PLA’s infiltration of Supermicro turns out to be, it seems likely that reports of similar security breaches will appear for the foreseeable future.

Contact the author: jtrevithickpr@gmail.com