Mistrust against Chinese suppliers a real threat after Supermicro reports, say analysts
TAIPEI — Analysts expect changes in the global electronics supply chain following a report that Chinese spies planted chips in the servers of nearly 30 U.S. companies, including Amazon and Apple.
A Bloomberg report, citing U.S. government and corporate sources speaking off the record, said a unit of China’s People’s Liberation Army (PLA) was behind the effort to hack into the operations of U.S. companies and compromise the global supply chain.
The Bloomberg report, which Apple and Amazon refuted, comes as the Trump administration escalates its trade war with China, targeting computer and networking hardware in its latest round of sanctions. White House officials expect companies to shift their supply chains to other countries as a result.
Analysts said the impact of the reported spying will be substantial.
“There’s going to be structural changes in how hardware gets validated, tested and approved across the supply chain following this,” Arete Research analyst Brett Simpson said to EE Times. “We’ve lost the trust factor — and where something is made will get scrutinized until steps are taken to get that trust factor back. Geopolitics and tech are becoming intertwined and that’s the new normal we have to live with.”
One of the results may be higher manufacturing costs.
“There will certainly be a lot of parties interested in moving production back to domestic territory, but that’s swimming upstream against all of the efficiencies that today’s global supply chain provides,” IDC Vice President of Devices Research Bryan Ma told EE Times. “As such, it would likely be contained to more sensitive components and systems.”
Perception is part of reality. The Bloomberg report comes at a time when trade tensions are high, and Ma said he won’t be surprised if it fuels more political agendas.
“In a nutshell, it will raise the risk concern on outsourcing electronic manufacturing to China,” said Bernstein analyst Mark Li.
According to the Bloomberg report, which cited numerous sources in the U.S. government and insiders at companies including Apple and Amazon, one of the first signs of the hack came in 2015, when Amazon Web Services (AWS) hired a third-party company to evaluate the security of software compression firm Elemental Technologies, a company Amazon was planning to acquire.
That security check raised a flag, prompting AWS to scrutinize Elemental’s main product: servers that customers installed to handle video compression. The servers were assembled by Super Micro Computer Inc., one of the world’s biggest suppliers of server motherboards. The company is generally known as Supermicro. That company also questioned the accuracy of the Bloomberg report.
The AWS checks revealed a rogue chip on the motherboards, the Bloomberg report said. Amazon reported the discovery to the U.S. government, sounding an alarm in the intelligence community. Elemental’s servers were in Department of Defense data centers, the CIA’s drone operations and networks of Navy warships. Elemental was just one of hundreds of Supermicro customers.
A top-secret probe, which Bloomberg said is ongoing, showed that the chips created a backdoor into networks running the altered servers. The chips were inserted on motherboards at factories run by subcontractors in China, according to the report.
The chips were planted by operatives from a unit of China’s People’s Liberation Army, according to the report. U.S. officials called it the most significant supply chain attack known to have been carried out against American companies.
Among the companies allegedly affected are a major bank, government contractors and Apple. Apple was a key Supermicro customer until several years ago, when the company found suspicious chips on Supermicro motherboards. Apple has severed ties with Supermicro for what it described as unrelated reasons.
Amazon, Apple and Supermicro disputed the Bloomberg report. The Chinese government commented that supply chain safety is an issue of common concern, and China is also a victim.
The companies’ denials were countered in the Bloomberg story by six current and former U.S. senior national security officials, who described the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on the attack at Elemental and Amazon. In addition to three Apple insiders, four of the six U.S. officials said that Apple was a victim.
One government official says China’s goal was long-term access to high-value corporate secrets and sensitive government networks. No consumer data is reportedly known to have been stolen.
Elemental has worked with American spy agencies. In 2009 the company announced a development partnership with In-Q-Tel Inc., the CIA’s investment arm, a deal that opened the door for Elemental servers to be used in other U.S. national security operations. NASA, both houses of Congress and the Department of Homeland Security have been customers.
Supermicro was founded by Charles Liang, a Taiwanese engineer who attended graduate school in Texas and moved to California to start Supermicro in 1993. Supermicro’s motherboards were designed mostly in San Jose and manufactured overseas.
Supermicro dominates the $1 billion market for boards used in special-purpose computers, from MRI machines to weapons systems. Its motherboards can be found in custom servers at banks, hedge funds, cloud computing providers and web-hosting services. Supermicro has assembly facilities in California, the Netherlands and Taiwan, but its motherboards are nearly all made by contractors in China.
Most of the company’s workforce in San Jose is Taiwanese or Chinese.
As early as the first half of 2014, intelligence officials alerted the White House that China’s military planned to insert the chips into Supermicro motherboards, the report said.
Apple allegedly discovered suspicious chips inside Supermicro servers around May 2015, after detecting odd network activity and firmware problems. Two senior Apple insiders cited in the report say the company noted the incident to the FBI but kept details highly confidential. Government investigators allegedly got more evidence when Amazon made its discovery and provided samples of sabotaged hardware. U.S. intelligence agencies then conducted a detailed investigation of the chips and their operation.
The chips looked more like signal conditioning couplers than ICs, making the components hard to detect without specialized equipment, according to Bloomberg. The spy chips were traced to four subcontractors in China that have been making Supermicro motherboards for at least two years.
In some cases, plant managers were approached by people who claimed to represent Supermicro or who held positions suggesting a connection to the Chinese government, according to Bloomberg. The middlemen would request changes to the motherboards’ original designs, initially offering bribes in conjunction with their unusual requests. If that didn’t work, they threatened factory managers with inspections that could shut down their plants. Once arrangements were in place, the middlemen would organize delivery of the chips to the factories.
The U.S. investigators concluded that a People’s Liberation Army unit specializing in hardware attacks was behind the scheme.
—Alan Patterson covers the semiconductor industry for EE Times. He is based in Taiwan.