This story is drawn from interviews with more than 50 people from law enforcement, the military, Congress, intelligence agencies and the private sector. Most asked not to be named in order to share sensitive information. Some details were confirmed in corporate documents Bloomberg News reviewed.
Bloomberg Businessweek first reported on China’s meddling with Supermicro products in October 2018, in an article that focused on accounts of added malicious chips found on server motherboards in 2015. That story said Apple Inc. and Amazon.com Inc. had discovered the chips on equipment they’d purchased. Supermicro, Apple and Amazon publicly called for a retraction. U.S. government officials also disputed the article.
Before I get into my confusion, a necessary caveat: I only have information that has been shared publicly and I am a hobbyist commentator, while Robertson and Riley are journalists who have been collecting details for years. These stories matter a lot, and their allegations are profound, but extraordinary claims demand extraordinary evidence. And based on everything that has been reported so far, I just don’t see it yet. Chalk it up to my own confusion and naïveté, but it seems like I am not alone in finding these reports insufficiently compelling.
Here’s the one-paragraph summary: Supermicro is a big company with lots of clients, any of which would be concerned about a backdoor to a foreign intelligence agency in their hardware. According to these reports, the U.S. intelligence apparatus was mobilized to counter the alleged threat. This has been a high-profile case since the first story was published. And I am supposed to believe that, in two and a half years, the only additional reporting that has been done on this story is from the same journalists at the same publication as the original. Why do I not buy that?
The original story’s key allegations — what made it a blockbuster — were that Chinese government operatives had surreptitiously added “phone home” chips to server components made by a company named Supermicro, and that Apple and Amazon were among the companies who’d been breached by these compromised servers. Apple and Amazon adamantly refuted the entire story, in unambiguous language. Bloomberg’s original report offered no firsthand evidence of these compromised servers. In the years since, no one has ever discovered any evidence of such compromised servers.
Today’s follow-up from Bloomberg offers no evidence either.
Bloomberg’s story is a mishmash of disparate and inaccurate allegations that date back many years. It draws farfetched conclusions that once again don’t withstand scrutiny. In fact, the National Security Agency told Bloomberg again last month that it stands by its 2018 comments and the agency said of Bloomberg’s new claims that it “cannot confirm that this incident—or the subsequent response actions described—ever occurred.” Despite Bloomberg’s allegations about supposed cyber or national security investigations that date back more than 10 years, Supermicro has never been contacted by the U.S. government, or by any of our partners or customers, about these alleged investigations.
Since Bloomberg’s first story on this idea two and a half years ago, there has been silence and no evidence supporting the article. No one has been able to produce a board with a spy chip on it. And Bloomberg still has no evidence to backup their extradorinaiy claims. My suspicions, from reading about this story, is if these supply-chain attacks are occurring, they are rare and highly targeted attacks at high-level government targets. But that’s a big if. Either way, China is not wasting resources on Apple’s iCloud data centers, but Bloomberg’s reporting makes this sound like every AWS server has more spy chips than CPU cores in it, and that just isn’t the case. These are high value government targets, which is the only explanation for why evidence doesn’t exist: government agencies being targeted by this kind of attack know how to keep quiet.