Supermicro iCloud spy chip report bolstered by US telecom network hardware hack

By Malcolm Owen

Bloomberg is doubling down on its investigative report claiming servers belonging to Apple, Amazon, and other major organizations were tampered by China, by citing documents and analysis from a security expert working for a major telecommunications firm.

The latest allegations stem from Sepio Systems chief Yossi Appleboum, whose firm was hired to scan several large data centers belonging to an unidentified customer. The company in question is not revealed, under claims it would break Appleboum's nondisclosure agreement with the customer.

According to Bloomberg's latest report, "unusual communications from a Supermicro server" prompted a physical inspection, which in turn revealed an implant in the Ethernet connector. Appleboum claims he had seen similar things happen to a variety of computer hardware produced under contract in China, and not just Supermicro products.

"Supermicro is a victim - so is everyone else," Appleboum claims, adding concern that there are many points in the supply chain in China where such alterations to products could be made, and that finding where it took place is practically impossible. "That's the problem with the Chinese supply chain," the executive stressed.

According to Appleboum, the telecom company's server was modified in the factory where it was produced, with Western intelligence contacts advising it was made at a Supermicro subcontractor in Guangzhou, southeastern China. The telecoms facility allegedly housed a large number of Supermicro servers, and technicians could not say what kind of data was moving through the infected server. It is also unknown if the FBI was informed by the client.

AT&T spokesman Fletcher Cook advised to the report "These devices are not part of our network, and we are not affected." A similar "not affected" statement was received from Verizon, while T-Mobile and Sprint did not respond to comment requests.

This report is the first with a named source. The report also does note that this vector of attack differs from Bloomberg's account.

"The security of our customers and the integrity of our products are core to our business and our company values," said Supermicro in a statement to the report. "We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry."

"We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found," the statement continued, before claiming to be "dismayed" by Bloomberg providing "only limited information, no documentation, and half a day to respond" to the new allegations.

Supposedly designed by the Chinese military, the chip is claimed to act as a "stealth doorway onto any network," and offered "long-term stealth access" to attached computer systems. The original Bloomberg report has since been denied by many of the companies identified in the article, including a strong denial from Apple characterizing the report as "wrong and misinformed."

Apple has also reportedly performed a "massive, granular, and siloed investigation" into claims leveled in the report, but failed to find any evidence of hardware tampering or to identify unrelated incidents that could have contributed to the claims. Apple has since written to the U.S. Congress on the matter, insisting there is a lack of evidence.

The Department of Homeland Security has chimed in, alongside the UK's National Cyber Security Centre, both cast doubt on the report. Other U.S. officials are also uncertain of the report's accuracy, with one official changing their stance from their original suggestion the "thrust of the article" was true.

One of the few named sources in the original report has also revealed doubts over the veracity of the story, including dealings with journalist Jordan Robertson, one of the Bloomberg report's authors. Security researcher Joe Fitzpatrick advised on Monday he had discussed proof-of-concept devices he had demonstrated at Black Hat 2016, but found it strange that ideas he mentioned were confirmed to the publication by other sources.