A new report is alleging the Chinese government directly interceded to insert small microchips into motherboards from a company called Supermicro, that are in use in servers everywhere from the adult film industry to U.S. military and U.S. Intelligence Community data centers, which make them vulnerable open them up to remote hacks. If the claims turn out to be true, it would be an intelligence operation of historic proportions that would have far-reaching and long-lasting ramifications. On Oct. 4, 2018, Bloomberg Businessweek published its story, which is the culmination of years of investigative work and cites nearly 20 anonymous sources from both the U.S. government and private companies reportedly involved in the affair. The piece says that American authorities first became aware of the existence of the chips in 2015, that the classified probe is still ongoing, and that U.S. officials have identified an unspecified unit of the People’s Liberation Army (PLA) as being responsible for sneaking the malicious hardware into the servers.

“Think of Supermicro as the Microsoft of the hardware world,” a former U.S. intelligence official told Bloomberg. “Attacking Supermicro motherboards is like attacking Windows. It’s like attacking the whole world.” By 2015, the San Jose-based firm had sold thousands of servers to more than 900 customers in around 100 countries. That the customer base includes the Central Intelligence Agency, various elements of the U.S. military, the Department of Homeland Security, NASA, and the U.S. Congress, as well as big-name tech firms such as Apple.

The basic concept behind the alleged plan is relatively straightforward. The PLA unit in question allegedly infiltrated Supermicro’s China-based subcontractors who actually make the motherboards and added its own hardware, reportedly no bigger than a grain of rice or the tip of a pencil. These chips themselves don’t do much on their own, but what they do is immensely important. The small amount of computer code they contain instructs the completed servers to be open to outside modifications and to be ready to receive further code from other computers remotely, creating a backdoor for hackers to access the information they contain. It could potentially have other functions, as well, including acting as a remotely-operated kill-switch to just shut down a system entirely on command. Hackers could also potentially use it as a gateway to feed false or confusing information into a target system, as well. These types of threats is a long-standing security concern. Just in August 2018, President Donald Trump signed a bill into law that makes it illegal for U.S. government agencies to purchase devices from Chinese firms Huawei and ZTE Corp, over fears that the Chinese government might seek to tamper with them. The U.S. military had temporarily imposed similar restrictions on small drones from China-based company DJI over security concerns in 2017.

USMC The U.S. military stopped using DJI drones, such as this Phantom, for a time in 2017 over fears that they could be scooping up sensitive information and sending it back to the Chinese company.

Chinese hacking, or attempts to hack, private companies and government agencies are also well established at this point. In June 2018, The Washington Post reported that China had stolen information on a highly-classified anti-ship missile known as Sea Dragon from a U.S. government contractor’s computer system. There is no evidence as yet to indicate that this was as at all related to the hardware tampering Bloomberg has described. But implementing such a plan to exploit the actual hardware in specific systems is reportedly extremely difficult, with so many opportunities for authorities and private security experts to uncover the scheme. Intelligence agencies and security experts have dismissed the likelihood that it could occur on as grand a scale as Bloomberg’s story suggests. “Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” Joe Grand, a hardware hacker and the founder of Grand Idea Studio Inc., explained to Bloomberg. “Hardware is just so far off the radar, it’s almost treated like black magic.” It’s not entirely clear when the chips first began appearing Supermicro’s servers or whether the Chinese tried at all to focus their efforts on hardware bound for specific destinations. The size and scope of the American company's customer base would have made it a particularly attractive target for China's intelligence services.

Vmenkov via Wikimedia The provincial offices of China's Ministry of State Security, the country's main internal and external intelligence agency, in Wuhan.

The issue reportedly only became apparent in 2015 after Amazon sent systems a company called Elemental had produced, which included Supermicro servers, for a deep security inspection, according to Bloomberg. Amazon Web Services was looking to acquire Elemental, which specialized in hardware to support online video-streaming services, to help with its own projects, such as Amazon Prime Video. The unnamed third-party security firm located the chips, after which Amazon reportedly informed the Federal Bureau of Investigation, prompting the still ongoing investigation. One of Bloomberg’s anonymous sources said that U.S. officials identified at least 30 private companies, including Apple, that had the sabotaged servers. It is important to note, however, that Amazon, Apple, and Supermicro have all vociferously and publicly denied Bloomberg’s reporting categorically. The three companies say they have never located a piece of malicious hardware in the servers, contacted the U.S. government about such an issue, or are aware of any investigation. The Chinese government, not surprisingly, issued a vague and indirect response when the outlet asked for comment. That being said, in 2016, Apple did stop buying products from Supermicro entirely, citing a security incident it said was unrelated to any hardware tampering. In August 2018, the Nasdaq stock market index suspended trading in shares of the company citing irregularities in its filings with the Securities and Exchange Commission.

Chinatopix via AP An Apple Store in Shanghai, China. Apple is reportedly one of the companies that ended up with the compromised motherboards.