I hope no one thought this story was going to die away soon. Last week Bloomberg published a story claiming that server motherboards from Super Micro Computer (Supermicro) had malicious chips added to them when manufactured in China. These chips would alter the operating system being run on the server built on the motherboard, creating a point of access for other attacks. Impacted servers were allegedly found at Amazon, Apple, and as many as 30 other companies. Since then companies have denied the reporting, but now Bloomberg is sharing more information based on documents, analysis, and other evidence from Yossi Appleboum, a security expert who previously worked in the technology unit of the Israeli Army Intelligence Corps. Currently Appleboum is a co-chief executive officer for Sepio Systems that specializes in hardware security and encountered manipulated Supermicro servers when scanning the large data centers of a telecommunications company.
According to Appleboum, the malicious component was found in a server's Ethernet connector after unusual communications were discovered, leading to a physical inspection. This is not the only time he has seen such manipulations though, and he has seen them for more than just Supermicro products too. Supermicro is as much a victim as the companies receiving the modified motherboards. Appleboum says this server he inspected was modified at the factory it was manufactured at; a Supermicro subcontractor factory in Guangshou, a port city in China. While the chip itself differs from those Bloomberg covered last week, its effective purpose is similar.
In addition to covering this new information, Bloomberg also shared that it was in contact with the Norwegian National Security Authority that stated it was 'aware of an issue' with Supermicro products since June, but gave no additional details. Appleboum too has spoken with intelligence agencies outside the United States, which have also been follow manipulation of hardware from Supermicro and other companies.
Back to original news post