A Chinese military unit has been inserting tiny microchips into computer servers used by companies including Apple and Amazon that give China unprecedented backdoor access to computers and data, according to a new Bloomberg report.
The tiny chips, as small as the tip of a sharpened pencil and designed to be undetectable without specialist equipment, were implanted on to the motherboards of servers on the production line in China, the report in Bloomberg Businessweek said.
The chips were reportedly developed by a specialised computer hardware attack unit in the People’s Liberation Army, and gave hackers unfettered access to anything the server did, allowing them to potentially manipulate the server to steal data, contact other servers and alter operations.
“Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” Joe Grand, a hardware hacker and the founder of Grand Idea Studio, told Bloomberg.
The allegedly compromised hardware, sold by Super Micro Computer, which is based in San Jose, California and described as “the Microsoft of the hardware world”, found its way into the data centres and operations of 30 companies, including Apple and Amazon as well as banks, hedge funds and government contractors, according to the report.
The attack was reportedly discovered in 2015 by the US intelligence services, as well as by Apple and Amazon as the companies purchased servers made by Super Micro Computer.
The report cited 17 unnamed intelligence and company sources as saying that Chinese spies had placed computer chips inside equipment used by around 30 companies, as well as multiple US government agencies, which would give Beijing secret access to internal networks.
Amazon, Apple and Super Micro have all denied Bloomberg’s report. Amazon said: “It’s untrue that AWSknew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental.”
Apple said: “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
The Chinese government has also denied the report. A spokesperson said: “China is a resolute defender of cybersecurity. We hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace.”
There have been increased concerns about foreign intelligence agencies infiltrating US and other companies via so-called “supply chain attacks”, particularly from China where multiple global tech firms outsource their manufacturing.