Bloomberg is reporting it. https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies According to the story: It seems that in 2015, Amazon Web Services was considering purchasing Elemental Technologies, a very prominent Portland Oregon manufacturer of Data Compression systems. This company in turn had contracted with a San Jose California company called Super Micro Computers to manufacture the servers. And Supermicro's manufacturing was outsourced to (you guessed it) China. As part of the preparation for the purchase, AWS sent some of Elemental's products to a third party company to test. This evaluator found something very disturbing. "Nested on the servers' motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn't part of the boards' original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental's servers could be found in Department of Defense data centers, the CIA's drone operations, and the onboard networks of Navy warships. And elemental was just one of hundreds of Supermicro customers." "During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China..." "The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People's Liberation Army. In Supermicro, China's spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies." If this Bloomberg story is true, it's big. One wonders what part it plays in the U.S. playing trade hardball with China. The US obviously needs to stop being so reliant on Chinese manufacturing for products of potential security and defense importance. It's just a recipe for national suicide.
Techcrunch says: https://techcrunch.com/2018/10/04/china-spy-hack-chip-bloomberg-supply-chain/ "This is a complex story that rests on more than a dozen anonymous sources --- many of which are sharing classified or highly sensitive information, making on-the-record comments impossible without repurcussions. Despite the companies' denials, Bloomberg is putting its faith in that the reader will trust the reporting." Much of the story can be summed up with this one line from a former U.S. official: "Attacking Supermicro motherboards is like attacking Windows. It's like attacking the whole world." "It's a fair point. Supermicro is one of the biggest tech companies you've probably never heard of. It's a computing supergiant based in San Jose, Calif., with global manufacturing operations across the world --- including China, where it builds most of its motherboards. Those motherboards trickle throughout the rest of the world's tech --- and were used in Amazon's data center servers that power its Amazon Web Services cloud and Apple's iCloud..." "Infiltrating Supermicro, if true, will have a long-lasting ripple effect on the wider tech industry and how they approach their own supply chains..." "The big question now is how to secure the supply chain?" Well, somebody's gonna have to do something. I believe that AWS is supposed to be building a new (supposedly) secure cloud for the US intelligence agencies. https://aws.amazon.com/government-education/government/ https://aws.amazon.com/blogs/publicsector/announcing-the-new-aws-secret-region/ https://aws.amazon.com/blogs/publicsector/from-deserts-to-the-battlefield-aws-snowball-edge-brings-technology-to-the-tactical-edge/?nc1=b_rp
Right - supposedly. I've often thought "secure cloud" was an oxymoron - even more so than "military intelligence."
still more https://www.engadget.com/2018/10/19/bloomberg-china-surveillance-dan-coats-director-national-intelligence/
and yet . . . more https://www.reuters.com/article/us-supermicro-chips/super-micro-says-review-found-no-malicious-chips-in-motherboards-idUSKBN1OA12R
