[ad_1]
Chinese spies have infiltrated the supply chain for servers used by nearly 30 US companies, including government subcontractors, Apple and Amazon, according to an explosive report from Bloomberg Businessweek.
The operation is perhaps the most daring example of hardware piracy ever publicly reported by a state, a branch of the Chinese armed forces compelling Chinese manufacturers to insert microchips into servers designed by the United States. The fries were "not much bigger than a grain of rice," reports Bloombergbut able to subvert the hardware on which they are installed, siphon data and let new code enter as a Trojan.
according to BloombergAmazon and Apple discovered hacking during internal investigations and informed US authorities. The publication indicates that there is no direct evidence that corporate data – or that of users – has been stolen or altered, but both companies have been working quietly to remove compromised servers from their infrastructure.
Amazon and Apple firmly refute this story. Amazon says it's "wrong" to know of "servers containing malicious chips or changes in data centers based in China," or to have "worked with the FBI to investigate or provide data on malicious material ". Apple is just as definitive. Bloomberg: "In this regard, we can be very clear: Apple has never found malicious chips," hardware manipulations "or vulnerabilities deliberately created on a server."
The attack would have occurred via the American company Super Micro Computer Inc., known as Supermicro. The company is one of the world's largest suppliers of server motherboards and outsources manufacturing to factories in China and beyond.
Supermicro's motherboards are used worldwide for both specialty products such as MRI machines and weapon systems, and for data centers used by technology giants. The company manufactures servers for hundreds of customers, including Elemental Technologies, a startup specializing in video compression and acquired by Amazon in 2015.
"Think of Supermicro as Microsoft's hardware world," said a former US intelligence official Bloomberg. "Attacking Supermicro motherboards, it's like attacking Windows. It's like attacking the whole world. "
according to Bloombergit is Elemental (via Supermicro) which was the privileged target of the Chinese army. Elemental's servers are located in the Department of Defense's data centers, in the CIA's UAV operations, and in the Navy's naval warships, "says the publication, and thousands of others are used by Apple and Amazon. In total, the attack affected nearly 30 US companies, including subcontractors and a large bank.
Parties of BloombergThe story has already been reported. Apple broke its relationship with Supermicro in 2016, but the iPhone maker claimed that this was due to a minor and unrelated security incident. Amazon would have distanced itself from Supermicro's compromised servers by selling its Chinese infrastructure to a rival, for reasons unknown at the time. In a statement to Bloomberg, Amazon admitted to discovering "vulnerabilities" in Supermicro products, but said it was software, not hardware. Facebook, another potential customer, also encountered problems with Supermicro's products, identifying malware in the company's software and removing servers from its data centers.
BloombergThe information provided has not been confirmed by registered sources in the US intelligence community. The FBI and the office of the national intelligence director, representing the CIA and the NSA, declined to comment on the story. However, it is well known that such material subversions represent a big price for a country's intelligence services – the NSA itself was surprised to conduct similar operations. They promise huge profits in terms of stolen information, but leave behind physical traces, unlike piracy software.
As with other large-scale hacks and security failures, the impact of the operation reported by Bloomberg will be difficult to judge. According to the publication, the US intelligence investigation is still ongoing, three years after it was opened.
Source link
