On Thursday, Bloomberg reported that the Chinese military had successfully implanted malicious microchips in motherboards used by almost 30 U.S. companies as well as intelligence agencies.
Implanting microchips is a hardware hack that literally adds a piece that shouldn’t be there, opening a door for further attacks. Here’s what you need to know:
What did the microchips do?
The specific components added by a unit of the People’s Liberation Army allowed the motherboards to communicate with and be controlled or modified by an outside computer. That meant that these systems were pre-programmed to accept modifications, including, for example, manipulation of the requirement for a password.
Bloomberg quoted Joe Grand, a hardware hacker, as saying that “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow.”
How did they get there?
The motherboards with the malicious chips were manufactured in China for the U.S. company Supermicro. That company assembles its products in the U.S., but its main product, motherboards, is manufactured in China. Supermicro, although not a household name for many Americans, supplies the hardware, often custom-built, for a wide range of companies and government agencies.
That means that compromising the motherboards manufactured by Supermicro was an easy way to give China uninhibited access to key American industries and government operations. That’s exactly what happened.
More specifically, the microchips themselves were manufactured by the Chinese military. Its officers then approached Chinese factories making motherboards for Supermicro and, with bribes and threats, had those microchips inserted during production. Those motherboards then became part of servers sold by Supermicro and used in U.S. data centers.
How was the problem discovered?
As Bloomberg reports, the problem was discovered when Amazon looked into acquiring video compressing and formatting start-up Elemental Technologies. As part of its review, Amazon had a third-party security firm analyze Elemental’s servers. That review found that within the motherboards used in the company’s servers was a tiny microchip that wasn’t part of the original design.
Amazon reported this to U.S. authorities. Elemental's products, in addition to working on commercial projects like streaming the Olympics, also were used by the Department of Defense, CIA drone operations, and Navy warships.
How big was the problem?
The problem was much bigger than Elemental and affected almost 30 companies. That’s because it wasn’t just Elemental who used Supermicro motherboards, but more than 900 companies in 100 countries in 2015. The supply chain itself had been compromised.
When did we learn about it?
Intelligence sources had long said that the Chinese were attempting this sort of hardware attack, but the first report of activity targeted at Supermicro came in 2014 in a report made to the Obama White House. Washington was limited in its response because no attack had been reported and they had few details to act on.
In May 2015, Apple reported suspicious activity to the FBI but kept the details quiet. Apple quietly cut ties with Supermicro soon after. The Amazon report to the FBI seems to have been much more cooperative and allowed better government understanding of the supply chain breach. After that, Amazon also worked to cut ties with its data center in China and eventually sold it off. The full investigation, however, is still ongoing.
What was China after?
According to the Bloomberg report, Beijing wanted “long-term access to high-value corporate secrets and sensitive government networks.” Consumer data does not appear to have been the target.
What do the companies involved have to say?
Amazon, Apple, and Supermicro have all disputed the findings of Bloomberg’s report. Those statements, however, are disputed by the series of interviews, documents, and other information provided by both industry insiders and government officials involved in the matter to Bloomberg.
What are some key takeaways?
For one thing, this report undermines the long-held confidence that China wouldn’t want to try a hardware hack because it might hurt international trust in Chinese products driving lucrative manufacturing away from the country. It also means that although the U.S. has been focused on software attacks, added vigilance on imported hardware is also necessary.
Additionally, this means that China already likely has much, much more information on both U.S. industry and military operations than was previously thought, and that Beijing is willing to aggressively and illegally go after this information.
Finally, for President Trump’s promise of a better trade deal with China, it lends more credibility to claims of improper behavior on the part of Beijing, and perhaps justifies domestic production of key industries — not steel, but perhaps motherboards.
[Also read: Mike Pence: Google shouldn't help China censor Internet searches]