56
Bloomberg Businessweek
October 8, 2018
cast as an unexplained oddity. “The hardware opens what-
ever door it wants,” says Joe FitzPatrick, founder of Hardware
Security Resources LLC, a company that trains cybersecurity
professionals in hardware hacking techniques.
U.S. oicials had caught China experimenting with hard-
ware tampering before, but they’d never seen anything of
this scale and ambition. The security of the global technol-
o
gy supply chain had been compromised, even if consum-
ers and most companies didn’t know it yet. What remained
for investigators to learn was how the attackers had so thor-
oughl
y iniltrated Supermicro’s production process—and how
many doors they’d opened into American targets.
U
nlike software-based hacks, hardware manipulation
creates a real-world trail. Components leave a wake of
shipping manifests and invoices. Boards have serial num-
bers that trace to speciic factories. To track the corrupted
chips to their source, U.S. intelligence agencies began follow-
ing Supermicro’s serpentine supply chain in reverse, a person
briefed on evidence gathered during the probe says.
As recently as 2016, according to
DigiTimes
, a news site
specializing in supply chain research, Supermicro had three
primary manufacturers constructing its motherboards, two
headquartered in Taiwan and one in Shanghai. When such
suppliers are choked with big orders, they sometimes parcel
out work to subcontractors. In order to get further down the
trail, U.S. spy agencies drew on the prodigious tools at their
disposal. They sifted through communications intercepts,
tapped informants in Taiwan and China, even tracked key
individuals through their phones, according to the person
briefed on evidence gathered during the probe. Eventually,
that person says, they traced the malicious chips to four
subcontracting factories that had been building Supermicro
motherboards for at least two years.
As the agents monitored interactions among Chinese oi-
cials, motherboard manufacturers, and middlemen, they
glimpsed how the seeding process worked. In some cases,
plant managers were approached by people who claimed
to represent Supermicro or who held positions suggesting
a connection to the government. The middlemen would
request changes to the motherboards’ original designs,
initially ofering bribes in conjunction with their unusual
requests. If that didn’t work, they threatened factory man-
agers with inspections that could shut down their plants.
Once arrangements were in place, the middlemen would
organize delivery of the chips to the factories.
The investigators concluded that this intricate scheme
was the work of a People’s Liberation Army unit specializing
in hardware attacks, according to two people briefed on its
activities. The existence of this group has never been revealed
before, but one oicial says, “We’ve been tracking these guys
for longer than we’d like to admit.” The unit is believed to focus
on high-priority targets, including advanced commercial tech-
nolo
gy and the computers of rival militaries. In past attacks,
it targeted the designs for high-performance computer chips
and computing systems of large U.S. internet providers.
Provided details of
Businessweek
’s reporting, China’s
Ministry of Foreign A
fairs sent a statement that said “China
is a resolute defender of cybersecurity.” The ministry added
that in 2011, China proposed international guarantees on
hardware security along with other members of the Shanghai
Cooperation Organization, a regional security body. The state-
ment concluded, “We hope parties make less gratuitous accu-
sations and suspicions but conduct more constructive talk
and collaboration so that we can work together in building a
peaceful, safe, open, cooperative and orderly cyberspace.”
The Supermicro attack was on another order entirely from
earlier episodes attributed to the PLA. It threatened to have
reached a dizzying array of end users, with some vital ones
in the mix. Apple, for its part, has used Supermicro hard-
ware in its data centers sporadically for years, but the rela-
tionship intensiied after 201
3, when Apple acquired a startup
called Topsy Labs, which created superfast technolo
gy for
indexing and searching vast troves of internet content. By
2014, the startup was put to work building small data cen-
ters in or near major global cities. This project, known inter-
nally as Ledbelly, was designed to make the search function
for Apple’s voice assistant, Siri, faster, according to the three
senior Apple insiders.
Documents seen by
Businessweek
show that in 2014, Apple
planned to order mor
e than 6,000 Supermicro servers for
inst
allation in 17 locations, including Amsterdam, Chicago,
Hong Kong, Los Angeles, New York, San Jose, Singapore, and
Tokyo, plus 4,
000 servers for its existing North Carolina and
Oregon data centers. Those orders were supposed to dou-
ble, to 20,000, b
y 2015. Ledbelly made Apple an important
Supermicro customer at the exact same time the PLA was
found to be manipulating the vendor’s hardware.
Project delays and early performance problems meant
that around 7,
000 Supermicro servers were humming in
Apple’s network by the time the company’s security team
found the added chips. Because Apple didn’t, according to
a U.S
. oicial, provide government investigators with access
to its facilities or the tampered hardware, the extent of the
attack there remained outside their view.
A
merican investigators eventually igured out who else
had been hit. Since the implanted chips were designed
to ping anonymous computers on the internet for
The security of the global technology
supply chain had been compromised,
even if consumers and most
companies didn’t know it yet