An explosive Bloomberg Businessweek report details how China was able to pull off the most significant supply chain attack ever against American companies. Reportedly, China used third-party vendors to America companies, including Amazon and Apple, to insert a tiny microchip, no bigger than a grain of rice, onto motherboards for Supermicro. Amazon Web Services (AWS), reviewed these servers and found “troubling issues.”
“Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.”
Bloomberg Businessweek reporter Jordan Robertson who co-wrote this blockbuster story talked about it on Bloomberg TV:
The basic gist of this story is that in 2014 and 2015 a unit of China’s People’s Liberation Army implanted malicious microchips on computer servers bound for U.S. companies. Those computer servers wound up in very targeted, very large companies including Apple and Amazon.
What these malicious chips did was compromise the software on these hardware devices at the kind of level that you can’t detect, in many ways the ultimate silent attack. This was a very major discovery for these companies and for U.S. intelligent services.
This story has taken us well over a year to report and write and a lot of that is learning what is a hardware attack? It’s such science fiction in many ways to us as reporters and to the public at large. A hardware attack is simply the most effective type of computer hacking that any organization can engineer. The reason is if the hardware of the computer is compromised it will irrevocably compromise the software that sits on top of it.
There is no commercial security system that can detect that kind of manipulation. It’s a super serious attack that is almost impossible to detect without physical examination of the hardware which almost no one does.