U.S.-based computing vendor Super Micro has issued the findings of an investigation that it says proves that its hardware was not bugged by the Chinese government.
Super Micro, which specializes in green computing for data centers and cloud computing, enterprise IT, big data, high performance computing and embedded markets, has seen its stock price plummet (by more than 50 percent) and customers walk away since a bombshell Bloomberg report in October claimed its motherboards were bugged.
Unnamed sources said that the boards were compromised at the factory level, to be turned into espionage tools on behalf of Beijing. This was done by attaching a small chip – “no bigger than a grain of rice” – to the circuitry, they alleged. The goal, the sources said, was to infiltrate some of Super Micro’s marquee customers, including Apple and Amazon Web Services.
The U.S. government was another rich target, the sources claimed, with companies like Elemental, an entity that Amazon acquired, used as the tip of the spear.
The report claimed that the bugs were first found on the Super Micro boards that power Elemental’s servers; and that Elemental servers “could be found in Department of Defense data centers, the CIA’s drone operations and the onboard networks of Navy warships.” This in turn, Bloomberg said, turned into a years-long investigation by authorities, who concluded that the bugging took place.
However, Super Micro has vehemently denied the allegations. To prove it, it said that it took “a representative sample” of its motherboards, “including the specific type of motherboard depicted in the article and motherboards purchased by companies referenced in the article, as well as more recently manufactured motherboards” – and found nary a spy chip on board any of them. The investigation was carried out by an independent third party.
“After thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards,” said Super Micro CEO and president Charles Liang, in an open letter posted Tuesday.
The hardware vendor also posted a video showing the steps it takes in its quality assurance process.
Marriott Breach, Other Spy Efforts
Tampering with computing hardware at the factory level is certainly not unheard of; in 2012 Microsoft said in a report detailing its work to disrupt the Nitol botnet that criminals had exploited insecure supply chains to install malware as PCs were being built. Chinese espionage tools embedded into hardware is not an uncommon fear or concern either. Earlier this year, D.C. lawmakers announced that they would move to ban the use of Huawei’s and ZTE’s wares by the government, as the two Chinese giants’ ties to Beijing represent a serious cybersecurity risk.
The news comes as Chinese spy efforts ramp up in the headlines. The New York Times on Tuesday reported that a Chinese intelligence-gathering effort was behind the massive Marriott hotels data breach, according to officials. That incident exposed the personal information for up to 500 million people. The hackers were likely working for China’s Ministry of State Security, the sources told the outlet. And meanwhile, the U.S. Justice Department is preparing to announce new indictments against Chinese hackers working for the intelligence and military services, according to reports. And, Huawei CFO Meng Wanzhou has been released on bail and is awaiting extradition to the U.S. to stand trial for charges of fraudulently evading U.S. sanctions on Iran – a state of affairs that has been comingled with Washington’s aforementioned view of her company as a spy conduit.