The Chinese government orchestrated an elaborate plot to infiltrate the data centers of the CIA, US Department of Defense, Amazon Web Services and many more, Bloomberg claims in an extensive report.
To access these facilities, operatives from a unit of the People’s Liberation Army compromised the supply chain of American server maker Supermicro, and added tiny microchips that gave them unprecedented access.
Amazon, Apple and Supermicro dispute the report, as does the Chinese foreign ministry (Update: Apple has further denied the report in a letter to Congress). Bloomberg said that the findings have been confirmed by six current and former senior national security officials, two AWS employees and three Apple employees, among others.
A hardware hack
In 2015, Amazon considered acquiring Elemental Technologies, a startup that helped compress large video files and reformat them for different devices. During the due diligence phase, it sent the company's servers to a third-party security company.
It was during this investigation that Amazon discovered that there was something on the servers, all of which were assembled by Supermicro, that was not meant to be there.
The security company allegedly found a tiny, rice grain-sized chip on the motherboard that did not exist on the original design. Amazon told the US government, immediately alarming those in the intelligence community - Elemental’s servers were deployed in Department of Defense data centers, involved in the CIA’s drone operations and the onboard networks of Navy warships.
Connected to the baseboard management controller, these chips - despite their diminutive size - allegedly enabled the servers to communicate with an outside machine, and accept any complex code it might send.
An on-going, secret investigation into the source of the chips discovered that the Chinese government compromised four subcontracting factories used by Supermicro, threatening or bribing plant managers to alter designs.
It is not clear how many Supermicro motherboards were compromised, but a hack of the system the chips were pinging revealed almost 30 companies whose data centers were potentially at risk.
Among them was Apple, which used Supermicro servers in its data centers - a relationship that grew deeper when the former acquired Topsy Labs, which also used the servers. Apple had planned to buy as many as 30,000 Supermicro machines, but is thought to have discovered the chip after detecting unusual network activity and firmware problems in 2015.
According to Bloomberg, the company informed the FBI, but did not provide government investigators with access to its facilities, or the tampered hardware. A few weeks later, Apple removed all Supermicro servers from its data centers, and severed its relationship with the company (both firms agree the relationship ended, but dispute the cause).
Amazon, meanwhile, conducted its own internal investigation. The vast majority of its data centers are filled with equipment purchased directly from factories, so AWS facilities did not use Supermicro servers.
Its Chinese data centers, however, were full of them. Amazon’s security team discovered altered motherboards in AWS’ Beijing facilities, along with more advanced malicious chips, including one so thin it was embedded between the layers of fiberglass onto which other components were attached.
The team was faced with a conundrum - it did not know how to remove the equipment quietly without alerting the Chinese government. They settled on monitoring the chips, recording occasional check-in communications, but making no attempts to remove data.
Then, in 2016, the Chinese government began pushing through an expansive and invasive cybersecurity law that put limitations on foreign cloud companies' ownership of data centers in the country. Amazon used this to transfer operational control of its Beijing data center to its local partner, Beijing Sinnet, in August, and then sold its entire infrastructure portfolio to the company for about $300 million.
A source familiar with the decision called it a move to “hack off the diseased limb,” although it is unclear whether the data centers still house the compromised servers.
In 2015, the Pentagon quietly briefed several dozen tech executives and investors about the attack - but did not name Supermicro - and asked them to think about creating commercial products that could detect hardware implants.
Since then no such product has yet emerged, Bloomberg reports.