61 / 88
54
Bloomberg Businessweek
October 8, 2018
found inmade-to-order server setups at banks, hedge funds,
cloud computing providers, and web-hosting services, among
other places. Supermicro has assembly facilities in California,
the Netherlands, and Taiwan, but its motherboards—its core
product—are nearly all manufactured by contractors in China.
The company’s pitch to customers hinges on unmatched
customization, made possible by hundreds of full-time engi-
neers and a catalog encompassing more than 600 designs. The
majority of its workforce in San Jose is Taiwanese or Chinese,
and Mandarin is the preferred language, with
hanzi
illing the
whiteboards, according to six former employees. Chinese pas-
tries are delivered every week, and many routine calls are done
twice, once for English-only workers and again in Mandarin.
The latter are more productive, according to people who’ve
been on both. These overseas ties, especially the widespread
use of Mandarin, would have made it easier for China to gain
an understanding of Supermicro’s operations and potentially
to iniltrate the company. (A U.S. oicial says the government’s
probe is still examining whether spies were planted inside
Supermicro or other American companies to aid the attack.)
With more than 900 customers in 100 countries by 2015,
Supermicro ofered inroads to a bountiful collection of sen-
sitive targets. “Think of Supermicro as the Microsoft of the
hardware world,” says a former U.S. intelligence oicial
who’s studied Supermicro and its business model. “Attacking
Supermicro motherboards is like attacking Windows. It’s like
attacking the whole world.”
W
ell before evidence of the attack surfaced inside the
networks of U.S. companies, American intelligence
sources were reporting that China’s spies had plans
to introduce malicious microchips into the supply chain. The
sources weren’t speciic, according to a person familiar with
the information they provided, and millions of motherboards
are shipped into the U.S. annually. But in the irst half of 2014,
a diferent person briefed on high-level discussions says, intel-
ligence oicials went to the White House with something more
concrete: China’s military was preparing to insert the chips into
Supermicro motherboards bound for U.S. companies.
The speciicity of the information was remarkable, but
so were the challenges it posed. Issuing a broad warning to
Supermicro’s customers could have crippled the company, a
major American hardware maker, and it wasn’t clear from the
intelligence whom the operation was targeting or what its ulti-
mate aims were. Plus, without conirmation that anyone had
been attacked, the FBI was limited in how it could respond.
The White House requested periodic updates as information
came in, the person familiar with the discussions says.
Apple made its discovery of suspicious chips inside
Supermicro servers around May 2015, after detecting odd net-
work activity and irmware problems, according to a person
familiar with the timeline. Two of the senior Apple insiders
say the company reported the incident to the FBI but kept
details about what it had detected tightly held, even internally.
Government investigators were still chasing clues on their own
when Amazon made its discovery and gave them access to sab-
otaged hardware, according to one U.S. oicial. This created
an invaluable opportunity for intelligence agencies and the
FBI—by then running a full investigation led by its cyber- and
counterintelligence teams—to see what the chips looked like
and how they worked.
The chips on Elemental servers were designed to be as
inconspicuous as possible, according to one person who saw
a detailed report prepared for Amazon by its third-party secu-
rity contractor, as well as a second person who saw digital
photos and X-ray images of the chips incorporated into a later
report prepared by Amazon’s security team. Gray or of-white
in color, they looked more like signal conditioning couplers,
another common motherboard component, than microchips,
and so they were unlikely to be detectable without specialized
equipment. Depending on the board model, the chips varied
slightly in size, suggesting that the attackers had supplied dif-
ferent factories with diferent batches.
Oicials familiar with the investigation say the primary role
of implants such as these is to open doors that other attackers
can go through. “Hardware attacks are about access,” as one
former senior oicial puts it. In simpliied terms, the implants
on Supermicro hardware manipulated the core operating
instructions that tell the server what to do as data move across
a motherboard, two people familiar with the chips’ operation
say. This happened at a crucial moment, as small bits of the
operating system were being stored in the board’s temporary
memory en route to the server’s central processor, the CPU.
The implant was placed on the board in a way that allowed it to
efectively edit this information queue, injecting its own code
or altering the order of the instructions the CPU was meant to
follow. Deviously small changes could create disastrous efects.
Since the implants were small, the amount of code they
contained was small as well. But they were capable of doing
two very important things: telling the device to communicate
with one of several anonymous computers elsewhere on the
internet that were loaded with more complex code; and pre-
paring the device’s operating system to accept this new code.
The illicit chips could do all this because they were connected
to the baseboard management controller, a kind of superchip
that administrators use to remotely log in to problematic serv-
ers, giving them access to the most sensitive code even on
machines that have crashed or are turned of.
This system could let the attackers alter how the device
functioned, line by line, however they wanted, leaving no one
the wiser. To understand the power that would give them, take
this hypothetical example: Somewhere in the Linux operating
system, which runs in many servers, is code that authorizes a
user by verifying a typed password against a stored encrypted
one. An implanted chip can alter part of that code so the server
won’t check for a password—and presto! A secure machine is
open to any and all users. A chip can also steal encryption keys
for secure communications, block security updates that would
neutralize the attack, and open up new pathways to the inter-
net. Should some anomaly be noticed, it would likely be