An in-depth exposé published by Bloomberg alleges a secret unit within the Chinese military embedded minuscule chips into computer motherboards of servers in order to steal information from some of America’s largest companies and agencies, including a major bank, government contractors, and technology companies such as Amazon and Apple.
The covert unit allegedly inserted pencil tip-sized microchips into computer motherboards at Chinese factories that then supplied them to Supermicro, a computer part manufacturer that provided more than 30,000 servers over the course of two years to serve data centers around the world. These motherboards were then built into servers, which were sent to data centers operated by as many as 30 companies. When a server was switched on, the microchip could communicate with outside computers and download instructions from them, allowing attackers access to passwords and control over what the servers did.
Bloomberg says three senior insiders at Apple corroborate the claim as well as six current and former senior national security officials. A total of 17 people confirmed the attack took place, none of whom provided their names “because of the sensitive, and in some cases classified, nature of the information.” A government official told Bloomberg that China’s goal was “long-term access to high-value corporate secrets and sensitive government networks,” and that there is "no ramifications for consumer data.”
Amazon, Apple, Supermicro, and the Chinese government all issued statements emailed to Bloomberg disputing Bloomberg’s reporting.
“On this, we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple wrote Bloomberg. “Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”
The attack reportedly came to light after Amazon was doing its due diligence on a new company it was set to buy. As the Washington Post points out, it’s how the attack reportedly played out that is so impactful to the global economy. (Bloomberg says it’s the “most significant supply chain attack known to have been carried out against American companies.”) Not only would the attackers require an understanding and manipulation of the product’s design, but they would need to ensure the devices made it through the global supply chain and to the desired location.