China accused of supply chain attack involving chip secretly built-in to Supermicro server motherboards

Chip the size of a grain of rice found on motherboard of servers used in defence and CIA, claims Bloomberg investigation

A supply chain attack that involved inserting chips the size of a grain of rice onto the motherboards of servers intended for sensitive US government departments have been found, according to a report by Bloomberg today.

The supply chain attack was uncovered following the $500m September 2015 acquisition by Amazon of video encoding company Elemental Technologies. The acquisition was led by Amazon Web Services (AWS).

As part of the due diligence process, AWS also subjected the start-up to a security audit, which raised flags in the servers that Elemental customers needed to install on their networks to handle the video compression software.

These servers, claims Bloomberg, were assembled for Elemental by Supermicro. A closer examination of the servers revealed a chip the size of a grain of rice embedded on the motherboard, which wasn't included in the original design.

"Amazon reported the discovery to US authorities, sending a shudder through the intelligence community. Elemental's servers could be found in Department of Defense data centers, the CIA's drone operations, and the onboard networks of Navy warships," according to Bloomberg.

A full-scale investigation - which is still ongoing - indicates that the chips enabled the attackers to "create a stealth doorway into any network that included the altered machines".

Furthermore, the chips had been inserted at factories run by Supermicro subcontractors in China.

The report continues: "The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People's Liberation Army. In Supermicro, China's spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies."

Almost 30 major companies have been affected, including a major bank, government contractors - and Apple.

"Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons," Bloomberg claims.

However, both Apple and Amazon have disputed the Bloomberg claims, while the Chinese government claimed to be a victim of supply-chain attacks, not a perpetrator.

"It's untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental," Amazon told Bloomberg.

Apple, meanwhile, wrote: "Apple has never found malicious chips, ‘hardware manipulations' or vulnerabilities purposely planted in any server."

The statement added that Apple was unaware of any investigation into the alleged supply chain attack.

However, Bloomberg's sources are adamant. "

The companies' denials are countered by six current and former senior national security officials, who - in conversations that began during the Obama administration and continued under the Trump administration - detailed the discovery of the chips and the government's investigation."

Computing's Security Excellence Awards return on Wednesday 21 November. Celebrating the achievements of the IT industry's best security companies, products, personalities and achievements, there's no bigger honour than winning in Computing's Security Excellence Awards 2018