56

Bloomberg Businessweek

October 8, 2018

cast as an unexplained oddity. “The hardware opens what-

ever door it wants,” says Joe FitzPatrick, founder of Hardware

Security Resources LLC, a company that trains cybersecurity

professionals in hardware hacking techniques.

U.S. oicials had caught China experimenting with hard-

ware tampering before, but they’d never seen anything of

this scale and ambition. The security of the global technol-

o

gy supply chain had been compromised, even if consum-

ers and most companies didn’t know it yet. What remained

for investigators to learn was how the attackers had so thor-

oughl

y iniltrated Supermicro’s production process—and how

many doors they’d opened into American targets.

U

nlike software-based hacks, hardware manipulation

creates a real-world trail. Components leave a wake of

shipping manifests and invoices. Boards have serial num-

bers that trace to speciic factories. To track the corrupted

chips to their source, U.S. intelligence agencies began follow-

ing Supermicro’s serpentine supply chain in reverse, a person

briefed on evidence gathered during the probe says.

As recently as 2016, according to

DigiTimes

, a news site

specializing in supply chain research, Supermicro had three

primary manufacturers constructing its motherboards, two

headquartered in Taiwan and one in Shanghai. When such

suppliers are choked with big orders, they sometimes parcel

out work to subcontractors. In order to get further down the

trail, U.S. spy agencies drew on the prodigious tools at their

disposal. They sifted through communications intercepts,

tapped informants in Taiwan and China, even tracked key

individuals through their phones, according to the person

briefed on evidence gathered during the probe. Eventually,

that person says, they traced the malicious chips to four

subcontracting factories that had been building Supermicro

motherboards for at least two years.

As the agents monitored interactions among Chinese oi-

cials, motherboard manufacturers, and middlemen, they

glimpsed how the seeding process worked. In some cases,

plant managers were approached by people who claimed

to represent Supermicro or who held positions suggesting

a connection to the government. The middlemen would

request changes to the motherboards’ original designs,

initially ofering bribes in conjunction with their unusual

requests. If that didn’t work, they threatened factory man-

agers with inspections that could shut down their plants.

Once arrangements were in place, the middlemen would

organize delivery of the chips to the factories.

The investigators concluded that this intricate scheme

was the work of a People’s Liberation Army unit specializing

in hardware attacks, according to two people briefed on its

activities. The existence of this group has never been revealed

before, but one oicial says, “We’ve been tracking these guys

for longer than we’d like to admit.” The unit is believed to focus

on high-priority targets, including advanced commercial tech-

nolo

gy and the computers of rival militaries. In past attacks,

it targeted the designs for high-performance computer chips

and computing systems of large U.S. internet providers.

Provided details of

Businessweek

’s reporting, China’s

Ministry of Foreign A

fairs sent a statement that said “China

is a resolute defender of cybersecurity.” The ministry added

that in 2011, China proposed international guarantees on

hardware security along with other members of the Shanghai

Cooperation Organization, a regional security body. The state-

ment concluded, “We hope parties make less gratuitous accu-

sations and suspicions but conduct more constructive talk

and collaboration so that we can work together in building a

peaceful, safe, open, cooperative and orderly cyberspace.”

The Supermicro attack was on another order entirely from

earlier episodes attributed to the PLA. It threatened to have

reached a dizzying array of end users, with some vital ones

in the mix. Apple, for its part, has used Supermicro hard-

ware in its data centers sporadically for years, but the rela-

tionship intensiied after 201

3, when Apple acquired a startup

called Topsy Labs, which created superfast technolo

gy for

indexing and searching vast troves of internet content. By

2014, the startup was put to work building small data cen-

ters in or near major global cities. This project, known inter-

nally as Ledbelly, was designed to make the search function

for Apple’s voice assistant, Siri, faster, according to the three

senior Apple insiders.

Documents seen by

Businessweek

show that in 2014, Apple

planned to order mor

e than 6,000 Supermicro servers for

inst

allation in 17 locations, including Amsterdam, Chicago,

Hong Kong, Los Angeles, New York, San Jose, Singapore, and

Tokyo, plus 4,

000 servers for its existing North Carolina and

Oregon data centers. Those orders were supposed to dou-

ble, to 20,000, b

y 2015. Ledbelly made Apple an important

Supermicro customer at the exact same time the PLA was

found to be manipulating the vendor’s hardware.

Project delays and early performance problems meant

that around 7,

000 Supermicro servers were humming in

Apple’s network by the time the company’s security team

found the added chips. Because Apple didn’t, according to

a U.S

. oicial, provide government investigators with access

to its facilities or the tampered hardware, the extent of the

attack there remained outside their view.

A

merican investigators eventually igured out who else

had been hit. Since the implanted chips were designed

to ping anonymous computers on the internet for

The security of the global technology

supply chain had been compromised,

even if consumers and most

companies didn’t know it yet