65 / 88
58
Bloomberg Businessweek
October 8, 2018
been found, according to a person familiar with the com-
pany’s probe. Instead, the team developed a method of mon-
itoring the chips. In the ensuing months, they detected brief
check-in communications between the attackers and the
sabotaged servers but didn’t see any attempts to remove
data. That likely meant either that the attackers were sav-
ing the chips for a later operation or that they’d iniltrated
other parts of the network before the monitoring began.
Neither possibility was reassuring.
When in
2016 the Chinese government was about to pass
a new cybersecurity law—seen by many outside the country
as a pretext to give authorities wider access to sensitive data—
Amazon decided to act, the person familiar with the company’s
probe says. In August it transferred operational control of its
Beijing data center to its local partner, Beijing Sinnet, a move
the companies said was needed to comply with the incoming
law. The following November, Amazon sold the entire infra-
structure to Beijing Sinnet for about $300 million. The per-
son familiar with Amazon’s probe casts the sale as a choice to
“hack of the diseased limb.”
As for Apple, one of the three senior insiders says that
in the summer of 2015, a few weeks after it identified
the malicious chips, the company started removing all
Supermicro servers from its data centers, a process Apple
referred to internally as “going to zero.” Every Supermicro
server, all 7,000 or so, was replaced in a matter of weeks, the
senior insider says. (Apple denies that any servers were
removed.) In 2016, Apple informed Supermicro that it was
severing their relationship entirely—a decision a spokes-
man for Apple ascribed in response to
Businessweek
’s ques-
tions to an unrelated and relatively minor security incident
(sidebar, page 57).
That August, Supermicro’s CEO, Liang, revealed that the
company had lost two major customers. Although he didn’t
name them, one was later identiied in news reports as Apple.
He blamed competition, but his explanation was vague. “When
customers asked for lower price, our people did not respond
quickly enough,” he said on a conference call with analysts.
Hayes, the Supermicro spokesman, says the company has
never been notiied of the existence of malicious chips on its
motherboards by either customers or U.S. law enforcement.
Concurrent with the illicit chips’ discovery in 2015 and
the unfolding investigation, Supermicro has been plagued
by an accounting problem, which the company characterizes
as an issue related to the timing of certain revenue recogni-
tion. After missing two deadlines to ile quarterly and annual
reports required by regulators, Supermicro was delisted from
the Nasdaq on Aug. 23 of this year. It marked an extraordi-
nary stumble for a company whose annual revenue had risen
sharply in the previous four years, from a reported $1.5 bil-
lion in 2014 to a projected $3.2 billion this year.
O
ne Friday in late September 2015, President Barack
Obama and Chinese President Xi Jinping appeared
together at the White House for an hourlong press
conference headlined by a landmark deal on cybersecu-
rity. After months of negotiations, the U.S. had extracted
from China a grand promise: It would no longer support
the theft by hackers of U.S. intellectual property to bene-
it Chinese companies. Left out of those pronouncements,
according to a person familiar with discussions among senior
oicials across the U.S. government, was the White House’s
deep concern that China was willing to ofer this concession
because it was already developing far more advanced and
surreptitious forms of hacking founded on its near monop-
oly of the technology supply chain.
In the weeks after the agreement was announced, the U.S.
government quietly raised the alarm with several dozen tech
executives and investors at a small, invite-only meeting in
McLean, Va., organized by the Pentagon. According to some-
one who was present, Defense Department oicials briefed
the technologists on a recent attack and asked them to think
about creating commercial products that could detect hard-
ware implants. Attendees weren’t told the name of the hard-
ware maker involved, but it was clear to at least some in the
room that it was Supermicro, the person says.
The problem under discussion wasn’t just technological.
It spoke to decisions made decades ago to send advanced
production work to Southeast Asia. In the intervening years,
low-cost Chinese manufacturing had come to underpin the
business models of many of America’s largest technology com-
panies. Early on, Apple, for instance, made many of its most
sophisticated electronics domestically. Then in 1992, it closed
a state-of-the-art plant for motherboard and computer assem-
bly in Fremont, Calif., and sent much of that work overseas.
Over the decades, the security of the supply chain became
an article of faith despite repeated warnings by Western oi-
cials. A belief formed that China was unlikely to jeopardize
its position as workshop to the world by letting its spies med-
dle in its factories. That left the decision about where to build
commercial systems resting largely on where capacity was
greatest and cheapest. “You end up with a classic Satan’s bar-
gain,” one former U.S. oicial says. “You can have less supply
than you want and guarantee it’s secure, or you can have the
supply you need, but there will be risk. Every organization
has accepted the second proposition.”
In the three years since the briefing in McLean, no
commercially viable way to detect attacks like the one on
Supermicro’s motherboards has emerged—or has looked
likely to emerge. Few companies have the resources of Apple
and Amazon, and it took some luck even for them to spot the
problem. “This stuf is at the cutting edge of the cutting edge,
and there is no easy technological solution,” one of the peo-
ple present in McLean says. “You have to invest in things that
the world wants. You cannot invest in things that the world
is not ready to accept yet.”
Bloomberg LP has been a Supermicro customer. According to
a Bloomberg LP spokesperson, the company has found no evi-
dence to suggest that it has been afected by the hardware issues
raised in the article.