An explosive report by Bloomberg Businessweek reveals that Chinese spies have infiltrated the supply chain for servers used by nearly 30 US companies, including government contractors, Apple, and Amazon.
China's armed forces, known as the People's Liberation Army, forced Chinese manufacturers to insert chips “not much bigger than a grain of rice” into servers designed in the United States during the equipment manufacturing process carried out in China.
Since 2015, US government has been conducting a top-secret into these chips that have been used to gather trade secrets and intellectual property from American companies.
Most notably, it confirmed that, in addition to efforts designed to sway US elections, China's intelligence community orchestrated a pervasive infiltration of servers used to power everything from MRI machines to the drones used by the CIA and army. They accomplished this using a tiny microchip no bigger than a grain of rice.
BBG published the report just hours before Vice President Mike Pence was expected to “string together a narrative of Chinese aggression” during a speech at the Hudson Institute in Washington. According to excerpts leaked to the New York Times, his speech was expected to focus on examples of China's “aggressive moves against American warships, of predatory behavior against their neighbors, and of a sophisticated influence campaign to tilt the midterms and 2020 elections against President Trump”. His speech is also expected to focus on how China leverages debt and its capital markets to force foreign governments to submit to its will (something that has happened in Bangladesh and the Czech Republic.
But while those narratives are certainly important, they pale in comparison to Bloomberg's revelations, which reported on an ongoing government investigation into China's use of a “tiny microchip” that found its way into servers that were widely used throughout the US military and intelligence infrastructure, from Navy warships to DoD server farms. The probe began three years ago after the US intelligence agencies were tipped off by Amazon. And three years later, it remains ongoing.
Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers.
During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China.
With those two paragraphs, Bloomberg has succeeded in shifting the prevailing narrative away from Russia and toward China. Or, as Pence is expected to state in Thursday's speech (via NYT) “as a senior career member of our intelligence community recently told me, what the Russians are doing pales in comparison to what China is doing across this country.”
The story begins with a Silicon Valley startup called Elemental. Founded in 2006 by three engineers who brilliantly anticipated that broadcasters would soon be searching for a way to adapt their programming for streaming over the Internet, and on mobile devices like smartphones, Elemental went about building a “dream team” of coders who designed software to adapt the super-fast graphics chips being designed for video gaming to stream video instead. The company then loaded this software on to special, custom-built servers emblazoned with its logo. These servers then sold for as much as $100,000 a pop – a markup of roughly 70%. In 2009, the company received its first contract with US defense and intelligence contractors, and even received an investment from a CIA-backed venture fund.
- Elemental also started working with American spy agencies. In 2009 the company announced a development partnership with In-Q-Tel Inc., the CIA’s investment arm, a deal that paved the way for Elemental servers to be used in national security missions across the U.S. government. Public documents, including the company’s own promotional materials, show that the servers have been used inside Department of Defense data centers to process drone and surveillance-camera footage, on Navy warships to transmit feeds of airborne missions, and inside government buildings to enable secure videoconferencing. NASA, both houses of Congress, and the Department of Homeland Security have also been customers. This portfolio made Elemental a target for foreign adversaries.
Like many other companies, Elementals' servers utilized motherboards built by Supermicro, which dominates the market for motherboards used in special-purpose computers. It was here, at Supermicro, where the government believes – according to Bloomberg's sources – that the infiltration began. Before it came to dominate the global market for computer motherboards, Supermicro had humble beginnings. A Taiwanese engineer and his wife founded the company in 1993, at a time when Silicon Valley was embracing outsourcing. It attracted clients early on with the promise of infinite customization, employing a massive team of engineers to make sure it could accommodate its clients' every need. Customers also appreciated that, while Supermicro's motherboards were assembled in China or Taiwan, its engineers were based in Silicon Valley. But the company's workforce featured one characteristic that made it uniquely attractive to China: A sizable portion of its engineers were native Mandarin speakers. One of Bloomberg's sources said the government is still investigating whether spies were embedded within Supermicro or other US companies).
But however it was done, these tiny microchips somehow found their way into Supermicro's products. Bloomberg provided a step-by-step guide detailing how it believes that happened.
- A Chinese military unit designed and manufactured microchips as small as a sharpened pencil tip. Some of the chips were built to look like signal conditioning couplers, and they incorporated memory, networking capability, and sufficient processing power for an attack.
- The microchips were inserted at Chinese factories that supplied Supermicro, one of the world’s biggest sellers of server motherboards.
- The compromised motherboards were built into servers assembled by Supermicro.
- The sabotaged servers made their way inside data centers operated by dozens of companies.
- When a server was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.