For years, U.S. investigators found tampering in products made by Super Micro Computer Inc. The company says it was never told. Neither was the public. By Jordan Robertson and Michael Riley In 2010, the U.S. Department of Defense found thousands of its computer servers sending military network data to China-the result of code hidden in chips that handled the machines’ startup process. In 2014, Intel Corp.
discovered that an elite Chinese hacking group breached its network through a single server that downloaded malware from a supplier’s update site. And in 2015, the Federal Bureau of Investigation warned multiple companies that Chinese operatives had concealed an extra chip loaded with backdoor code in one manufacturer’s servers.
Each of these distinct attacks had two things in common: China and Super Micro Computer Inc., a computer hardware maker in San Jose, California. They shared one other trait; U.S. spymasters discovered the manipulations but kept them largely secret as they tried to counter each one and learn more about China’s capabilities.China’s exploitation of products made by Supermicro, as the U.S.
company is known, has been under federal scrutiny for much of the past decade, according to 14 former law enforcement and intelligence officials familiar with the matter. That included an FBI counterintelligence investigation that began around 2012, when agents started monitoring the communications of a small group of Supermicro workers, using warrants obtained under the Foreign Intelligence Surveillance Act, or FISA, according to five of the officials.
Whether that probe continues is unknown, as is a full account of its findings. But as recently as 2018, the FBI enlisted private- sector help in analyzing Supermicro equipment that contained added chips, according to an adviser to two security firms that did the work.
The Supermicro saga demonstrates a widespread risk in global supply chains, said Jay Tabb, a former senior FBI official who agreed to speak generally about China’s interference with the company’s products. “Supermicro is the perfect illustration of how susceptible American companies are to potential nefarious tampering of any products they choose to have manufactured in China,” said Tabb, who was the executive assistant director of the FBI’s national security branch from 2018 until he retired in January 2020.
“It’s an example of the worst- case scenario if you don’t have complete supervision over where your devices are manufactured.”Tabb declined to address specifics of the FBI’s probe. “The Chinese government has been doing this for a long time, and companies need to be aware that China is doing this,” he said.
“And Silicon Valley in particular needs to quit pretending that this isn’t happening.” Neither Supermicro nor any of its employees has been accused of wrongdoing, and former U.S. officials who provided information for this story emphasized that the company itself has not been the target of any counterintelligence investigation.
In response to detailed questions, Supermicro said it has “never been contacted by the U.S. government, or by any of our customers, about these alleged investigations.” The company said Bloomberg had assembled “a mishmash of disparate and inaccurate allegations” that “draws farfetched conclusions.”
Federal agencies, including those described in this article as conducting investigations, still buy Supermicro products, the company said. And it noted that this account of a counterintelligence investigation lacks full details, including the probe’s outcome or whether it’s ongoing. The full response is published here. “Supermicro is an American success story and the security and integrity of our products is a top priority,” the company said.
A spokesperson for the Chinese Foreign Ministry called accounts of these attacks “attempts to discredit China and Chinese enterprises” and accused U.S. officials of “making things up to hype up the ‘China threat “China has never and will never require enterprises or individuals to collect or provide data, information and intelligence from other countries for the Chinese government by installing ‘back doors,” the spokesperson said in a written statement.
This story is drawn from interviews with more than 50 people from law enforcement, the military, Congress, intelligence agencies and the private sector. Most asked not to be named in order to share sensitive information. Some details were confirmed in corporate documents Bloomberg News reviewed. Bloomberg Businessweek first reported on China’s meddling with Supermicro products in October 2018, in an article that focused or accounts of added malicious chips found on server motherboards in 2015.
That story said Apple Inc. and Amazon.com Inc. had discovered the chips on equipment they’d purchased. Supermicro, Apple and Amazon publicly called for a retraction. U.S. government officials also disputed theWith additional reporting, it’s now clear that the Businessweek report captured only part of a larger chain of events in which U.S. officials first suspected, then investigated, monitored and tried to manage China’s repeated manipulation of Supermicro’s products. Throughout, government officials kept their findings from the general public.
Supermicro itself wasn’t told about the FBI’s counterintelligence investigation, according to three former U.S. officials. The secrecy lifted occasionally, as the bureau and other government agencies warned a select group of companies and sought help from outside experts.”In early 2018, two security companies that I advise were briefed by the FBI’s counterintelligence division investigating this discovery of added malicious chips on Supermicro’s motherboards,” said Mike Janke, a former Navy SEAL who co-founded DataTribe, a venture capital firm.
“These two companies were subsequently involved in the government investigation, where they used advanced hardware forensics on the actual tampered Supermicro boards to validate the existence of the added malicious chips.” Janke, whose firm has incubated startups with former members of the U.S. intelligence community, said the two companies are not allowed to speak publicly about that work but they did share details from their analysis with him. He agreed to discuss their findings generally to raise awareness about the threat of Chinese espionage within technology supply chains.
“This is real,” Janke said, “and the government knows it.”‘Unauthorized Intrusions’ Supermicro, founded in 1993 by Taiwanese immigrant Charles Liang, was built to take advantage of global supply chains. Many of its motherboards-the clusters of chips and circuitry that run modern electronics-were manufactured in China by contractors, then assembled into servers in the U.S. and elsewhere.The company, which earned $3.3 billion in revenue last year, has seen its computer gear become pervasive in the cloud computing era. Its motherboards sit in products ranging from medical imaging scanners to cybersecurity devices. Supermicro declined to address questions about whether it relies on contract manufacturers in China today.
In an unusual disclosure for any public company, Supermicro told investors in May 2019 that its own computer networks had been breached over multiple years. “We experienced unauthorized intrusions into our network between 2011 and 2018,” the company wrote. “None of these intrusions, individually or in the aggregate, has had a material adverse effect on our business, operations, or products.” The company didn’t respond to requests for additional details about those intrusions.
Federal officials had concerns about China’s dominant role in global electronics manufacturing before Supermicro’s products drew sustained U.S. government scrutiny. Another Pentagon supplier that received attention was China’s Lenovo Group Ltd. In 2008, U.S. investigators found that military units in Iraq were using Lenovo laptops in which the hardware had been altered. The discovery surfaced later in little-noticed testimony during a U.S. criminal case-a rare public description of a Chinese hardware hack. “A large amount of Lenovo laptops were sold to the U.S. military that had a chip encrypted on the motherboard that would record all the data that was being inputted into that laptop and send it back to China,” Lee Chieffalo, who managed a Marine network operations center near Fallujah, Iraq, testified during that 2010 case. “That was a huge security breach.
We don’t have any idea how much data they got, but we had to take all those systems off the network.”Three former U.S. officials confirmed Chieffalo’s description of an added chip on Lenovo motherboards. The episode was a warning to the U.S. government about altered hardware, they said. Lenovo was unaware of the testimony and the U.S. military hasn’t told the company of any security concerns about its products, spokeswoman Charlotte West said in an email. U.S. officials conducted “an extensive probe into Lenovo’s background and trustworthiness” while reviewing its 2014 acquisitions of businesses from IBM and Google, West said. Both purchases were approved. “As there have been no reports of any problems, we have no way to assess the allegations you cite or whether security concerns may have been triggered by third- party interference,” West said.
WhatsApp us