Supermicro, the subject of media reports two months ago alleging that spies in China hacked Supermicro servers widely distributed throughout the U.S. technology supply chain, has followed up its initial vehement denials with a letter sent yesterday to customers stating a third party investigations firm had “found absolutely no evidence of malicious hardware on our motherboards.”
The original story, from Bloomberg News, called “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies,” reported that the hack was first detected in 2015 by Amazon, which found that Amazon servers assembled by Supermicro had “a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design.”
The chips allow a “stealth doorway” into networks where the hacked servers operate, according to the story, and “the chips had been inserted at factories run by manufacturing subcontractors in China,” specifically by operatives for the People’s Liberation Army. The report fit into media coverage throughout this year of growing trade and IP-theft tensions between the United States and China, including the recent arrest and imprisonment of a senior Huawei executive.
In response to the Bloomberg story, Supermicro said the company undertook an investigation with assistance from an unnamed investigations firm and tested a representative sample of Supermicro motherboards, “including the specific type of motherboards depicted in the article and motherboards purchased by companies (Amazon and Apple) referenced in the article, as well as more recently manufactured motherboards.”
The customer letter, signed by Supermicro President and CEO Charles Liang and two other senior executives, said that the findings of no malicious chips “were no surprise to us,” that “we test our products at every step of the manufacturing process,” and that “Throughout our supply chain, each of our boards is tested repeatedly against its design to detect any aberration and to reject any board that does not match its design.”
The Bloomberg article drew considerable attention because of Supermicro’s widespread use throughout the IT landscape. A former U.S. intelligence official familiar with Supermicro is quoted in the story: “Think of Supermicro as the Microsoft of the hardware world. Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.”
Another damning aspect of the article is that it stated that Amazon had reported the discovery of the chips to U.S. authorities. But the letter from Supermicro declared that “no government agency has ever informed us that it has found malicious hardware on our products,” noting that the directors of several intelligence agencies (Homeland Security, National Intelligence, the FBI) “early on appropriately questioned the truth of the media reports.”
At the publication of Bloomberg’s story, Amazon also issued a denial, stating, “It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications…. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.”