Senators Question Supermicro on Report of Chinese Hardware Hack

(Bloomberg) -- Two U.S. senators sent a letter to Super Micro Computer Inc. asking if and when the company found evidence of tampering with hardware components after a Bloomberg Businessweek report described how China’s intelligence services used subcontractors to plant malicious chips in the company’s server motherboards.

Florida Republican Marco Rubio and Connecticut Democrat Richard Blumenthal on Tuesday gave the company until Oct. 17 to respond to a list of questions that also includes whether the company investigated its supply chain and cooperated with U.S. law enforcement.

In Bloomberg Businessweek’s report, one official said investigators found that the Chinese infiltration through Super Micro reached almost 30 companies, including Amazon.com Inc. and Apple Inc. Super Micro and both Amazon and Apple disputed the findings. The U.S. Department of Homeland Security said it has “no reason to doubt” the companies’ denials of Bloomberg Businessweek’s reporting.

“We are alarmed about the dangers posed by backdoors, and take any claimed threat to the nation’s networks and supply chain seriously,” the lawmakers said in the letter. “These new allegations require thorough answers and urgent investigation for customers, law enforcement and Congress.”

Read More: China Used Tiny Chip in Hack That Infiltrated U.S. Companies

Cybersecurity is becoming an increasingly important topic of congressional investigation following concerns about foreign actors compromising election security and technology infrastructure. Among the targets of the Chinese hack identified by Bloomberg was a contractor that made software to help funnel drone footage to the Central Intelligence Agency and communicate with the International Space Station.

The infiltration of the computer systems, which stemmed from servers assembled by Super Micro, was investigated as part of an FBI counter-intelligence probe, according to the Bloomberg Businessweek report, which cited national security officials familiar with the matter.

Investigators found that tiny microchips, not much bigger than a grain of rice, had been inserted during manufacturing in China onto equipment made by subcontractors of Super Micro. The San Jose, California-based company is one of the world’s biggest suppliers of server motherboards, the fiber-mounted clusters of chips and capacitors that act as neurons of data centers.

Investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines, according to the report, citing people familiar with the matter.

In emailed statements, Amazon, Apple and Super Micro disputed Bloomberg Businessweek’s reporting. In an emailed statement, the Chinese government said in part “we hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration.”

On Tuesday, Bloomberg News reported that a major U.S. telecommunications company discovered manipulated hardware from Super Micro and removed it in August, citing Yossi Appleboum, a security expert for the telecommunications company. He provided documents, analysis and other evidence of the discovery after the publication of the Bloomberg Businessweek report. Bloomberg is not identifying the company due to Appleboum’s nondisclosure agreement with the client.

Based on his inspection of the device, Appleboum determined that the telecom company’s server was modified at the factory where it was manufactured. He said that he was told by Western intelligence contacts that the device was made at a Super Micro subcontractor factory in Guangzhou, a port city in southeastern China. Guangzhou is 90 miles upstream from Shenzhen, dubbed the ‘Silicon Valley of Hardware,’ and home to giants such as Tencent Holdings Ltd. and Huawei Technologies Co. Ltd.

Super Micro gave this statement in response to questions about Appleboum’s allegations: “The security of our customers and the integrity of our products are core to our business and our company values. We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry. We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found.”

“We have received and are reviewing the letter from Senator Rubio and Senator Blumenthal,” Super Micro said in a statement on Tuesday night. “We take the integrity of our products seriously and look forward to engaging on these important matters.”

To contact the reporter on this story: Anna Edgerton in Washington at aedgerton@bloomberg.net

To contact the editors responsible for this story: Kevin Whitelaw at kwhitelaw@bloomberg.net, Justin Blum, John Harney

©2018 Bloomberg L.P.