53
Bloomberg Businessweek
October 8, 2018
company, Apple Inc. Apple was an important Supermicro
customer and had planned to order more than 30,000 of its
servers in two years for a new global network of data centers.
Three senior insiders at Apple say that in the summer of 2015,
it, too, found malicious chips on Supermicro motherboards.
Apple severed ties with Supermicro the following year, for
what it described as unrelated reasons.
In emailed statements, Amazon (which announced its
acquisition of Elemental in September 2015), Apple, and
Supermicro disputed summaries of
Bloomberg Businessweek
’s
reporting. “It’s untrue that AWS knew about a supply chain
compromise, an issue with malicious chips, or hardware mod-
iications when acquiring Elemental,” Amazon wrote. “On
this we can be very clear: Apple has never found malicious
chips, ‘hardware manipulations’ or vulnerabilities purposely
planted in any server,” Apple wrote. “We remain unaware of
any such investigation,” wrote a spokesman for Supermicro,
Perry Hayes. The Chinese government didn’t directly address
questions about manipulation of Supermicro servers, issuing
a statement that read, in part, “Supply chain safety in cyber-
space is an issue of common concern, and China is also a vic-
tim.” (Full statements are published at the end of this story.)
The FBI and the Oice of the Director of National Intelligence,
representing the CIA and NSA, declined to comment.
The companies’ denials are countered by six current
and former senior national security oicials, who—in con-
versations that began during the Obama administration
and continued under the Trump administration—detailed
the discovery of the chips and the government’s investiga-
tion. One of those oicials and two people inside AWS pro-
vided extensive information on how the attack played out at
Elemental and Amazon; the oicial and one of the insiders
also described Amazon’s cooperation with the government
investigation. In addition to the three Apple insiders, four
of the six U.S. oicials conirmed that Apple was a victim. In
all, 17 people conirmed the manipulation of Supermicro’s
hardware and other elements of the attacks. The sources
were granted anonymity because of the sensitive, and in
some cases classiied, nature of the information.
One government oicial says China’s goal was long-term
access tohigh-value corporate secrets and sensitive government
networks. No consumer data is known to have been stolen.
The ramiications of the attack continue to play out. The
Trump administration has made computer and networking
hardware, including motherboards, a focus of its latest round
of trade sanctions against China, and White House oicials
have made it clear they think companies will begin shifting
their supply chains to other countries as a result. Such a shift
might assuage oicials who have been warning for years about
the security of the supply chain—even though they’ve never
disclosed a major reason for their concerns.
B
ack in 2006, three engineers in Oregon had a clever idea.
Demand for mobile video was about to explode, and
they predicted that broadcasters would be desperate to
transform programs designed to it TV screens into the vari-
ous formats needed for viewing on smartphones, laptops, and
other devices. To meet the anticipated demand, the engineers
started Elemental Technologies, assembling what one former
adviser to the company calls a genius team to write code that
would adapt the superfast graphics chips being produced for
high-end video-gaming machines. The resulting software dra-
matically reduced the time it took to process large video iles.
Elemental then loaded the software onto custom-built servers
emblazoned with its leprechaun-green logos.
Elemental servers sold for as much as $100,000 each, at
proit margins of as high as 70 percent, according to a former
adviser to the company. Two of Elemental’s biggest early cli-
ents were the Mormon church, which used the technology to
beam sermons to congregations around the world, and the
adult ilm industry, which did not.
Elemental also started working with American spy agen-
cies. In 2009 the company announced a development part-
nership with In-Q-Tel Inc., the CIA’s investment arm, a deal
that paved the way for Elemental servers to be used in national
security missions across the U.S. government. Public docu-
ments, including the company’s own promotional materials,
show that the servers have been used inside Department of
Defense data centers to process drone and surveillance-cam-
era footage, on Navy warships to transmit feeds of airborne
missions, and inside government buildings to enable secure
videoconferencing. NASA, both houses of Congress, and the
Department of Homeland Security have also been customers.
This portfolio made Elemental a target for foreign adversaries.
Supermicro had been an obvious choice to build Elemental’s
servers. Headquartered north of San Jose’s airport, up a
smoggy stretch of Interstate 880, the company was founded
by Charles Liang, a Taiwanese engineer who attended graduate
school in Texas and then moved west to start Supermicro with
his wife in 1993. Silicon Valley was then embracing outsourc-
ing, forging a pathway from Taiwanese, and later Chinese, fac-
tories to American consumers, and Liang added a comforting
advantage: Supermicro’s motherboards would be engineered
mostly in San Jose, close to the company’s biggest clients, even
if the products were manufactured overseas.
Today, Supermicro sells more server motherboards than
almost anyone else. It also dominates the $1 billion market
for boards used in special-purpose computers, from MRI
machines to weapons systems. Its motherboards can be
“Having a well-done, nation-state-
level hardware implant surface
would be like witnessing a unicorn
jumping over a rainbow”