Were Amazon, Elemental, Apple and Thousands of Supermicro Servers Compromised by the Chinese Government?
I’m going to be discussing some astounding news from Bloomberg, which is an allegation that Chinese Operatives working for the PLA (People’s Liberation Army) forced subcontractors working for Supermicro to alter their hardware design to bug the servers at the time of manufacturing. By implanting this bug it is said to intercept and alter instructions being sent to the CPUs which allowed undetected remote access and connection to what sounds more like a command and control botnet (for the most part-although it is said that Apple admins detected unusual activity).
It also sounds more like we are talking that the baseboard or ILO/IPMI/KVM/IP was compromised. However, the article itself seems to insist no personal data was ever compromised which once again seems to indicate it is more like backdoor access to the IPMI rather than being able to read raw data from the CPU and memory.
Bloomberg says this is an amazing feat to accomplish since we know agencies like the NSA favor bugging and implanting servers in transit or on premise. They would be correct, and of course anything is possible. They lay out a very realistic set of images they created but nothing of an actual motherboard that has supposedly been compromised. If this is true it is hard to hide and if this was a massive attack on Supermicro hardware at the design or factory level you would assume other owners would step forth with some information or pictures.
First of all if this is true where are the instructions and patches online to mitigate this issue (assuming it is possible)? I am hoping that a BIOS and IPMI update could solve it but why is there no errata on the internet? The first thing I did was check Supermicro’s website for patches and announcement and I also contacted my source there who is insisting they do not know anything about this and the article is patently untrue. The part about Amazon creating AWS for the CIA is quite interesting but not surprising.
All parties involved are denying any of this ever took place and the closest to the truth is that some firms say the IPMI firmware had a vulnerability that had to be patched (this is typical for most remotely accessed baseboards whether by intention or design and not unique to Supermicro). In fact in 2016 Apple dropped Supermicro over what they allege was a firmware flaw in the IPMI or bad/fake firmware and Supermicro confirmed it did happen but that Apple never co-operated or provided any details of its complaints. On that note it is why I dislike built-in IPMI/KVM/ILO has they are just another huge potential backdoor and they should never be connected to the public internet and only plugged in as necessary (instead I still prefer a separate hardware KVM/IP).
Why are all parties denying this ever happened? Maybe they don’t know or maybe some have reason to deny it? Time will tell if this is true but some critical holes have emerged in my mind.
For example before the acquisition of Elemental’s server business supposedly a third party in Toronto, Canada found these implanted devices and the sale still went through and lead to Amazon’s foray into the Chinese hosting industry. Then we are told that Amazon killed their bare metal/dedicated server business because it was a diseased limb and compromised with this bad Supermicro hardware? They also claimed they had legal restrictions in China relating to Cloud hosting but then how is it that their AWS Cloud Platform remains but their Bare Metal Servers disappeared? Wouldn’t their AWS bare metal servers also likely be compromised? That’s an easy fix and if it were true they could simply just import all of their own hardware into China and setup their own datacenter. A lot of things don’t make sense here and these statements from Bloomberg only add more to the mystery.
But I am extremely suspicious and skeptical based on the information or lack of it presented so far. Although Bloomberg presents very interesting and compelling graphical renditions they do not mention which motherboard(s) have this bug implanted and what server models from Supermicro. They don’t even have a picture of an actual motherboard which allegedly has this bug implanted.
Now I am not doubting much of our hardware and software has purposely implanted or designed malware or backdoors so it is possible this happened. It could be as simple possibly that these were modifications done after they left Supermicro’s factory. I would think it would be extremely hard to have it ONLY targeted at servers and motherboards destined for Amazon and Apple.
If this did occur it’s also possible a foreign or third party has done this as a false flag, just as we know security agencies often produce malware and other cyber attacks and leave false footprints attributing it to a rival (something we learned with the Vault 7 release). We also know that PRISM is very real.
My suspicion is that this may be more so politically motivated to raise the question should American companies have goods manufactured in China? They are in a trade war. No matter where goods are manufactured you can be sure security agencies are implanting and modifying computer hardware at some point in the chain as we’ve learned the NSA has done.
There’s not much more to say unless more credible actual information comes forward with small and medium companies being able to identify their motherboards are bugged. Then it is a matter of determining if this is how the motherboard was manufactured or if it is an “aftermarket” hack or modification. And I say this with the assumption that there is some truth to Bloomberg’s article. We’ve all read over the years about “credible” information about weapons in Iraq that didn’t exist and fake chemical attacks in Syria etc…
This would be an extremely great feat as Bloomberg said and I would say also extremely risky and the chances of it being caught or discovered rather high at some point. If someone finds these modifications are widespread then obviously entities worldwide would be asking a lot of questions. However, going back to the NSA we know a lot of companies around the world co-operate with them. It’s possible this is not an element attributed to the Chinese government, it could just as easily be a rogue team within Supermicro or their manufacturer. The truth is that we may never know for sure who was really behind this, and again, assuming this really happened.
Another point pertaining to the NSA is that US companies had to co-operate with them or risk being jailed. This meant the refutation that the NSA was given backdoor access to their hardware, data and servers. They of course denied this to the public while it was fully true.
To say that Bloomberg has made a novel of an article, worthy of a nomination and its own spy movie is an understatement and if it’s true then this has major security implications for the whole world. Just like the NSA’s room 641A, this would be the tip of the iceberg of what I predicted back then. The question is, is it true and if so who is behind it and was it done at origin, in transit or on premise? One thing is for sure, we do know security agencies are known to modify computer hardware for the purposes of spying and infiltration.
Sources:
https://www.supermicro.com/newsroom/pressreleases/2018/press181004_Bloomberg.cfm
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-amazon-apple-supermicro-and-beijing-respond
China reportedly infiltrated Apple and other US companies using ‘spy’ chips on servers
China reportedly infiltrated Apple and other US companies using ‘spy’ chips on servers
Amazon reportedly offloaded its Chinese server business because it was compromised
I have mixed feelings about this. On one hand, it’s possible, it’s also possible for us to colonize Mars at some point in human history. Did this happen the way Bloomberg presents it? Well, we simply don’t have enough to say. We need more information and more evidence.
Cheers,
A.Yasir