Report: Chinese spies snuck tiny backdoor chips onto US corporate, government and military servers


According to an explosive report in Bloomberg, US spies and large corporate IT departments have had an open secret for years: the servers supplied by US hardware giant Supermicro for Elemental, Inc were sometimes infected with tiny hardware backdoors by Chinese spies during their manufacture; these superminiature chips were wired into the systems' baseboard management system and were able to accept covert software patches that would allow Chinese spies to utterly compromise both the servers and the networks they were connected to.


Elemental had a formal partnership with In-Q-Tel, the CIA's investment arm, which gave it an air of trustworthiness that allowed it to sell billions of dollars' worth of hardware to US entities.


The list of compromised entities is terrifying: Apple, Amazon, the Pentagon, DoD drone operations, Navy battleships, NASA, Congress and the Senate, even Bloomberg itself. All of these entities officially deny that they were ever compromised by the attack and claim that they have no knowledge of these hardware backdoors — but Bloomberg's Jordan Robertson and Michael Riley cite multiple anonymous insiders and former insiders who say that the attack came to light in 2015 when Apple first discovered unusual traffic on its network and that in the years since, there have been mass teardowns of data-centers and divestments from Supermicro and Elemental.

The exception is Amazon, who actually acquired Elemental after they were made aware of the hack.

According to anonymous US spies interviewed by the Bloomberg writers, US intelligence operatives were able to identify the two Supermicro subcontractors in China where the motherboards were doctored, and learned that the managers in these factories with bribed, and then threatened, by the People's Liberation Army.


The Chinese government also denies that this took place.


Early generations of the backdoor chips were the size of a rice-grain, disguised as an innocuous signal-conditioning chip. Later generations were even smaller — the size of a pencil-tip — and could be sandwiched between the fiberglass layers of the motherboards.


Officials familiar with the investigation say the primary role of implants such as these is to open doors that other attackers can go through. "Hardware attacks are about access," as one former senior official puts it. In simplified terms, the implants on Supermicro hardware manipulated the core operating instructions that tell the server what to do as data move across a motherboard, two people familiar with the chips' operation say. This happened at a crucial moment, as small bits of the operating system were being stored in the board's temporary memory en route to the server's central processor, the CPU. The implant was placed on the board in a way that allowed it to effectively edit this information queue, injecting its own code or altering the order of the instructions the CPU was meant to follow. Deviously small changes could create disastrous effects.

Since the implants were small, the amount of code they contained was small as well. But they were capable of doing two very important things: telling the device to communicate with one of several anonymous computers elsewhere on the internet that were loaded with more complex code; and preparing the device's operating system to accept this new code. The illicit chips could do all this because they were connected to the baseboard management controller, a kind of superchip that administrators use to remotely log in to problematic servers, giving them access to the most sensitive code even on machines that have crashed or are turned off.

This system could let the attackers alter how the device functioned, line by line, however they wanted, leaving no one the wiser. To understand the power that would give them, take this hypothetical example: Somewhere in the Linux operating system, which runs in many servers, is code that authorizes a user by verifying a typed password against a stored encrypted one. An implanted chip can alter part of that code so the server won't check for a password—and presto! A secure machine is open to any and all users. A chip can also steal encryption keys for secure communications, block security updates that would neutralize the attack, and open up new pathways to the internet. Should some anomaly be noticed, it would likely be cast as an unexplained oddity. "The hardware opens whatever door it wants," says Joe FitzPatrick, founder of Hardware Security Resources LLC, a company that trains cybersecurity professionals in hardware hacking techniques.


The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies [Jordan Robertson and Michael Riley/Bloomberg]