Recent media revelations have unveiled a large-scale supply chain attack that stands as one of the most significant corporate espionage and hardware hacking incidents attributed to a nation-state. A report released by Bloomberg today details the discovery of diminutive surveillance chips, comparable in size to a grain of rice, embedded within the servers of nearly 30 U.S. companies, including Apple and Amazon.
These intrusive chips, which were neither part of the original server motherboards produced by the U.S.-based firm Super Micro nor authorized by the company, were stealthily added during the manufacturing process in China. This situation arises from a comprehensive three-year investigation conducted by U.S. authorities that reveals how government-backed groups in China infiltrated the supply chain, implanting these surveillance mechanisms into motherboards that ended up in servers utilized by U.S. military, intelligence agencies, and numerous enterprises like Apple and Amazon.
Bloomberg’s investigation notes that Apple first detected these suspicious chips around May 2015 after identifying unusual network activity and firmware issues. Despite the chips being small, they contained enough code to enable critical functionalities: they could direct the device to communicate with anonymous remote computers loaded with sophisticated code, and they could prepare the operating system to accept this foreign code.
This hardware manipulation is perceived as a “hardware hack,” which is typically more challenging to execute yet potentially far more damaging, offering the type of covert, long-term access that intelligence agencies often find worth the investment of millions of dollars and extensive time. The attributes of the chips varied by motherboard model, indicating that attackers supplied different manufacturing facilities with tailored batches of these surveillance devices.
Despite the alarming nature of these findings, both Apple and Amazon have vigorously denied the assertions made in the Bloomberg report, indicating no knowledge of any supply chain breaches or servers containing malicious hardware. According to Apple, they have never found any malicious chips or vulnerabilities purposely installed in their servers and have not engaged with the FBI regarding such incidents. They suggested that the report may have conflated their narrative with an unrelated 2016 event where a compromised driver was discovered on a single Super Micro server.
Amazon reiterated that it is “untrue” it was aware of any supply chain compromises or servers with malicious chips in its data centers located in China. Supermicro and the Chinese Ministry of Foreign Affairs have also issued stark denials concerning the claims made by Bloomberg.
As stakeholders in the business community assess these developments, it is crucial to recognize the potential tactics and techniques that may align with the attack strategies described. According to the MITRE ATT&CK framework, procedures such as initial access, persistence, and privilege escalation may have played a role, suggesting a well-planned operation aimed at long-term intelligence gathering.
The unfolding narrative surrounding these supply chain infiltrations conveys a pressing reminder for organizations regarding the vulnerabilities inherent in their manufacturing processes and supply chains. Observing due diligence and maintaining stringent cybersecurity standards is essential, as even minor hardware manipulations can lead to significant ramifications in terms of data security and organizational integrity. As this situation continues to evolve, vigilance remains paramount in safeguarding sensitive information from such sophisticated threats.
