Investigation Into Supermicro’s Server Motherboards Finds No Malicious Spy Hardware

In October, a report by Bloomberg claimed that spies working for the Chinese government had inserted microchips on Supermicro server motherboards to spy on customers, which Bloomberg reported as affecting Apple and nearly 30 companies in total. Today, the outside investigations firm hired by Supermicro reported its findings, confirming that there is no evidence of any malicious hardware in current or old Supermicro server motherboards, including those used by Apple for iCloud (via Reuters).


Supermicro denied the allegations made in the Bloomberg report when it came out, and in today's letter to its customers said it was not surprised by the new findings. The investigation was performed by global firm Nardello & Co., which tested samples of motherboards in current production, as well as versions that were specifically sold to Apple and Amazon since both of those companies were mentioned directly by Bloomberg.

Nardello & Co. also examined software and design files, and didn't find any unauthorized components or signals being sent out from Supermicro. Customers interested will be able to ask for more details about the investigation, and Supermicro as of now is still reviewing its legal options following the investigation.

The day that "The Big Hack" article came out, Apple quickly released a statement, denying all claims made about the microchips spying on customers. "On this we can be very clear: Apple has never found malicious chips, "hardware manipulations" or vulnerabilities purposely planted in any server," Apple said in its statement.

Eventually both Apple CEO Tim Cook and Supermicro CEO Charles Liang called on Bloomberg to retract the story. Talking to BuzzFeed News, Cook said there is "no truth" to Bloomberg's claims about Apple. As of today, the story remains online.


Discuss this article in our forums

Supermicro CEO Joins Cook in Calling for Bloomberg to Retract Supply Chain Hack Story

Last week, Apple CEO Tim Cook called on Bloomberg to retract a highly controversial story suggesting Chinese spies planted microchips in the Supermicro server motherboards used in Apple's data facilities, saying there was no truth to Bloomberg's claims.

Today, Supermicro Charles Liang joined Cook in calling for a retraction. In a statement shared by CNBC, Liang said that Supermicro has not found malicious hardware components in its products, nor has Bloomberg produced an affected Supermicro motherboard. Bloomberg, he says, should "act responsibly" and retract its "unsupported allegations."


Liang's full statement:
Supermicro is committed to making world-class servers and storage products. Bloomberg's recent story has created unwarranted confusion and concern for our customers, and has caused our customers, and us, harm.

Bloomberg should act responsibly and retract its unsupported allegations that malicious hardware components were implanted on our motherboards during the manufacturing process.

The allegations imply there are a large number of affected motherboards. Bloomberg has not produced a single affected motherboard, we have seen no malicious hardware components in our products, no government agency has contacted us about malicious hardware components, and no customer has reported finding any malicious hardware components, either.
Supermicro, like Apple and other companies involved, has denied all of Bloomberg's claims since the story was first released. Supermicro previously said it was not aware of any investigation nor any companies that had found illicit hardware in their Supermicro products.

Amazon Web Services CEO Andy Jassy also spoke out against Bloomberg today, saying that the story is "wrong about Amazon, too." Like Cook, Jassy says Bloomberg at no point offered proof or listened to what Amazon had to say about the situation.


Cook last week said that Apple "turned the company upside down" and dug "very deep" but could find absolutely no evidence that such an attack took place. "Each time we came back to the same conclusion: This did not happen," said Cook. "There's no truth to this."

Since Bloomberg released its report, Apple has refuted the site's claims in multiple clearly worded statements denying it happened. Bloomberg continues to stand by its original reporting, which, citing 17 sources, said Apple, Amazon, and other tech companies had purchased and installed Supermicro servers that had been tampered with by the Chinese government.

Along with Apple, Amazon, and Supermicro, multiple other sources have cast doubt on the information shared in Bloomberg's story. The UK's Cyber Security Agency, the Department of Homeland Security, former FBI general counsel James Baker, and NSA Senior Advisor Rob Joyce, for example, have all questioned the veracity of Bloomberg's claims and have denied knowledge of such an investigation.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Apple CEO Tim Cook Calls on Bloomberg to Retract Supply Chain Hack Story: ‘There’s No Truth to This’

For the first time since Bloomberg published a highly controversial story suggesting Chinese spies planted microchips in Supermicro server motherboards Apple used in its iCloud facilities, Apple CEO Tim Cook has gone on the record to vehemently deny the claims.

In an interview with BuzzFeed News, Cook said there is "no truth" to the story about Apple, before making the unprecedented move of calling on Bloomberg to publish a retraction.


Since the report went live earlier this month, Apple has refuted Bloomberg's claims in multiple clearly worded statements denying such an incident ever took place. Apple maintains that the story is "completely untrue," malicious chips were never found in its servers, and there was never an FBI investigation into the incident.

Bloomberg has continued to stand by its original report, which, based on info obtained from 17 unnamed sources, said that Apple, Amazon, and other tech companies had purchased and installed Supermicro servers that had been tampered with by the Chinese government. Small chips were allegedly implanted into server motherboards, allowing China to access corporate secrets and other information.

Apple did have an issue with Supermicro servers that led to the company dropping Supermicro as a supplier, but the relationship ended after malware was discovered on a single server in an incident unrelated to Bloomberg's claims.

According to Apple CEO Tim Cook, though he only spoke out publicly about the Bloomberg story this week, he's been involved in Apple's response "from the beginning."
"I personally talked to the Bloomberg reporters along with Bruce Sewell who was then our general counsel. We were very clear with them that this did not happen, and answered all their questions," said Cook. "Each time they brought this up to us, the story changed and each time we investigated we found nothing."
Cook went on to say that Bloomberg failed to provide Apple with specific details about the malicious chips the company supposedly found and removed, and that Bloomberg's claims are based on "vague secondhand accounts." Cook told BuzzFeed that Apple did a deep search through all of its documentation and could find zero evidence of malicious chips or an FBI investigation.
"We turned the company upside down," Cook said. "Email searches, data center records, financial records, shipment records. We really forensically whipped through the company to dig very deep and each time we came back to the same conclusion: This did not happen. There's no truth to this."
As BuzzFeed points out, Apple has never publicly called for a retraction of a story before, even in instances where incorrect information was published. Following Cook's discussion with BuzzFeed, the site again contacted Bloomberg, and Bloomberg once again refused to budge.
"Bloomberg Businessweek's investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews," a spokesperson told BuzzFeed News in response to a series of questions. "Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies' full statements, as well as a statement from China's Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources."
Along with multiple strongly worded denials from Apple, including one to Congress, several other sources and government agencies have supported Apple's claims that the information shared in Bloomberg's story is false.

The UK's Cyber Security Agency, the Department of Homeland Security, former FBI general counsel James Baker, and NSA Senior Advisor Rob Joyce have all questioned the veracity of Bloomberg's claims and have denied knowledge of such an investigation.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

Kaspersky Lab Says Report Claiming China Hacked Apple’s Former Server Supplier is Likely ‘Untrue’

Russia-based cybersecurity company Kaspersky Lab today said that while "hardware supply chain attacks are a reality," evidence suggests Bloomberg Businessweek's report about Chinese intelligence tampering with server motherboards manufactured by Apple's former supplier Supermicro is "untrue."

Apple data center

Kaspersky Lab said the report "should be taken with a grain of salt" in its 14-page analysis of the alleged attack, obtained by MacRumors:
The stories published by Bloomberg in October 2018 had a significant impact. For Supermicro, it meant a 40% stock valuation loss. For businesses owning Supermicro hardware, this can be translated into a lot of frustration, wasted time, and resources. Considering the strong denials from Apple and Amazon, the history of inaccurate articles published by Bloomberg, including but not limited to the usage of Heartbleed by U.S. intelligence prior to the public disclosure, as well as other facts from these stories, we believe they should be taken with a grain of salt.
Kaspersky Lab added that the language in both Apple and Amazon statements denying the Bloomberg Businessweek report are "pretty strong" and "leaves little to no chance of retractions or denials at a later time." The firm added that the statements are regulated by the SEC in the United States.

The key part of Apple's statement was as follows:
On this we can be very clear: Apple has never found malicious chips, "hardware manipulations" or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
In a press release, Apple later said it is not under any kind of gag order or other confidentiality obligations.

Referring to Apple's mid-2016 detection of malware-infected firmware in specific Supermicro servers that were used internally only, Kaspersky Lab said it believes it is "quite possible that the Bloomberg journalists misunderstood the incident and included it in the hardware supply chain attack story."

The analysis said hardware-based attacks like the one alleged in the Bloomberg Businessweek report are sophisticated, difficult to implement, and expensive. "For instance, even if a server board is compromised during manufacturing, it is complicated to ensure that it finds its way to a certain target."

The accuracy of Bloomberg Businessweek's report has been questioned by not only Kaspersky Lab, but the Department of Homeland Security, the U.K.'s National Cyber Security Centre, and NSA senior advisor Rob Joyce.

Moreover, Apple's recently retired general counsel Bruce Sewell said he called the FBI's then-general counsel James Baker last year after being told by Bloomberg of an open investigation into Supermicro, and was told that nobody at the federal law enforcement agency knew what the story was about.

Apple's aggressive campaign to deny the report extends to unnamed senior executives within the company. Supermicro and Amazon, also named in the report, have likewise issued strongly-worded denials of the report.

Bloomberg Businessweek continues to stand by its reporting, and has since followed up with a second story that claims a major U.S. telecommunications company discovered manipulated hardware from Supermicro in its network and removed it in August, citing a security expert working for the telecom company.

The original report, citing 17 unnamed sources, claimed that Chinese spies planted tiny chips the size of a pencil tip on server motherboards manufactured by Supermicro at its Chinese factories. The servers were then sold to companies such as Apple and Amazon for use in their respective data centers.

An unnamed government official cited in the report said China's goal was "long-term access to high-value corporate secrets and sensitive government networks," but no customer data is known to have been stolen.

The report claimed that Apple discovered the suspicious chips on the motherboards around May 2015, after detecting odd network activity and firmware problems. Two senior Apple insiders were cited as saying the company reported the incident to the FBI, but kept details about what it had detected tightly held.

Apple dropped Supermicro as a supplier in 2016, after the incident with the malware-infected firmware updates.

We've covered Bloomberg Businessweek's report in extensive detail over the past week, with all of our coverage available in our "The Big Hack" archive. At this point, it remains a stalemate between Apple and Bloomberg.

Kaspersky Lab itself has faced controversy, with several reports over the last year claiming its software was compromised by Russian intelligence. Nevertheless, Motherboard said the firm "continues to have a good reputation in the industry," particularly as it relates to its ability to discover malware.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums

NSA Senior Advisor Latest to Question Report Claiming China Hacked Apple’s Former Server Supplier

Rob Joyce, Senior Advisor for Cybersecurity Strategy at the NSA, is the latest official to question the accuracy of Bloomberg Businessweek's bombshell "The Big Hack" report about Chinese spies compromising the U.S. tech supply chain.


"I have pretty good understanding about what we're worried about and what we're working on from my position. I don't see it," said Joyce, speaking at a U.S. Chamber of Commerce cyber summit in Washington, D.C. today, according to a subscriber-only Politico report viewed by MacRumors.

"I've got all sorts of commercial industry freaking out and just losing their minds about this concern, and nobody's found anything," Joyce added.

Joyce, a former White House cybersecurity coordinator, noted that all of the companies named in the Bloomberg Businessweek report have issued strong denials, including Apple, Amazon, and Supermicro. He said those companies would "suffer a world of hurt" if regulators later determine that they lied.

Apple's statement read in part:
On this we can be very clear: Apple has never found malicious chips, "hardware manipulations" or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.
Bloomberg Businessweek, citing 17 unnamed sources, claimed that Chinese spies planted tiny chips the size of a pencil tip on server motherboards manufactured by Supermicro at its Chinese factories. The servers were then sold to companies such as Apple and Amazon for use in their respective data centers.

An unnamed government official cited in the report said China's goal was "long-term access to high-value corporate secrets and sensitive government networks," but no customer data is known to have been stolen.

The report claimed that Apple discovered the suspicious chips on the motherboards around May 2015, after detecting odd network activity and firmware problems. Two senior Apple insiders were cited as saying the company reported the incident to the FBI, but kept details about what it had detected tightly held.

Apple dropped Supermicro as a supplier in 2016, a decision the company said it made for reasons unrelated to "The Big Hack" story.

Joyce is far from the only source to question the accuracy of the Bloomberg Businessweek report. Both the U.S. Department of Homeland Security and the U.K.'s national cyber security agency have said they have "no reason to doubt" Apple's denial of the story, while the FBI is said to be unaware of the hack.

"We're just befuddled," said Joyce. He added that he had "grave concerns about where this has taken us," according to Politico. "I worry that we're chasing shadows right now. I worry about the distraction that it is causing."

In related news, Reuters reports that U.S. Senator John Thune has sent letters to the CEOs of Apple, Amazon, and Supermicro with questions about the allegations. U.S. Senators Marco Rubio and Richard Blumenthal also sent a joint letter to Supermicro CEO Charles Liang with similar questions.

Note: Due to the political nature of the discussion regarding this topic, the discussion thread is located in our Politics, Religion, Social Issues forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.


Discuss this article in our forums