More than two years after Bloomberg Businessweek published a widely disputed investigation claiming the Chinese government had secretly installed microchips on server motherboards produced by Supermicro that were used to spy on companies like Amazon and Apple, the outlet has published its follow-up, which doubles down on the initial report and expands the scope of the alleged espionage to a dizzying degree.
Titled “The Big Hack,” the initial Businessweek cover story, published in October 2018 and authored by Jordan Robertson and Michael Riley, drew widespread criticism from other journalists and commentators, and was directly disputed by Apple, Amazon, and server manufacturer Supermicro. These allegedly compromised servers, the report claimed, were used by nearly 30 companies—banks, government contractors, Amazon, and Apple among them—giving China’s People’s Liberation Army a backdoor “into any network that included the altered machines.”
It’s a wild report and was summarily panned as questionable, at best. Apple, which rarely speaks publicly about specific news stories, issued a stunning rebuttal soon after the story’s publication, refuting many of its most shocking claims directly. Apple CEO Tim Cook later called for Businessweek to retract the story. “There is no truth in their story about Apple,” Cook told BuzzFeed News. “They need to do the right thing and retract it.”
Amazon, too, denied many of the claims the Businessweek story made about the company. “There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count,” wrote Steve Schmidt, chief information security officer at AWS, the company’s cloud business. Two weeks after the story’s publication, Supermicro refuted the story’s veracity in a letter to customers. And in December 2018, the company said a third-party audit “found absolutely no evidence of malicious hardware on our motherboards.”
On top of the story’s main subjects denying the report’s accuracy, the U.S. Department of Homeland Security, then-Director of National Intelligence Dan Coates, the NSA, and the UK’s National Cyber Security Centre publicly cast doubt on the story. Security researchers and journalists picked the story apart, with some questioning whether the whole thing was simply made up.
Bloomberg News, however, stood by the story, which became a thing of lore among technology journalists who would periodically ask each other, “what the hell happened with that?” Well, what happened was Robertson and Riley spent nearly two-and-a-half years since the technology world cast doubt on their report further digging into the story, which they claim now is far more wide-reaching than their original bombshell report.
The follow-up story, published early Friday morning, directly addresses the controversy of the first report and does not walk back any of its claims. Indeed, it details “a larger chain of events” around the alleged Chinese spy plot.
Bloomberg Businessweek first reported on China’s meddling with Supermicro products in October 2018, in an article that focused on accounts of added malicious chips found on server motherboards in 2015. That story said Apple Inc. and Amazon.com Inc. had discovered the chips on equipment they’d purchased. Supermicro, Apple and Amazon publicly called for a retraction. U.S. government officials also disputed the article.
With additional reporting, it’s now clear that the Businessweek report captured only part of a larger chain of events in which U.S. officials first suspected, then investigated, monitored and tried to manage China’s repeated manipulation of Supermicro’s products.
The report—which the authors say is based on interviews with more than 50 individuals, most of whom are unnamed and at least 14 of which are identified as “former law enforcement and intelligence officials familiar with the matter”—aims to tie together a series of security breaches that are all allegedly linked to Supermicro.
First, the story claims that the FBI has been investigating Supermicro for nearly a decade, according to those aforementioned former law enforcement and intelligence officials. Also, according to five unnamed sources, the FBI has been monitoring Supermicro employees thanks to warrants obtained under the Foreign Intelligence Surveillance Act (FISA).
The report also says that the U.S. military in 2008 discovered that Lenovo laptops used by troops in Iraq had a chip “on the motherboard that would record all the data that was being inputted into that laptop and send it back to China,” according to testimony in a 2010 criminal case by Lee Chieffalo, who was involved in network operations for the Marines in Falluja. Businessweek writes that three unnamed officials confirmed Chieffalo’s description. A Lenovo spokesperson said the company wasn’t aware of the security issue despite an “extensive probe into Lenovo’s background and trustworthiness” by U.S. officials ahead of business deals with IBM and Google, and that “there have been no reports of any problems.”
Further, according to multiple unnamed sources, the follow-up story claims Pentagon systems were secretly sending information to China, and one unnamed source claimed the malicious “implant” was found on “thousands of servers.” The intrusive instructions in Pentagon servers, Businessweek reports, consisted, in part, of code that was “customized by workers associated with Supermicro,” according to unnamed government officials. The Pentagon reportedly responded to the intrusion by keeping their knowledge of it a secret and, according to two unnamed sources, “devised undetectable countermeasures to protect its networks.”
Finally, the report says Intel found in 2014 that a breach of its system was the result of a firmware update downloaded from Supermicro’s website. The attack was allegedly linked to a state-sponsored hacker group known as APT 17, which is believed to be based in China. Intel said the breach had “no impact to our network or data” but did not dispute finding a connection to Supermicro.
On top of all this, the new Businessweek report cites multiple people, most named and on the record, who say the U.S. government warned them or companies they consulted for about the presence of secret spy chips added to servers. For example, one of the named sources, Mukul Kumar, who was at the time the chief security officer for chip designer Altera Corp., said he received an unclassified briefing in 2015 where he was told, “there was a chip on the board that was not supposed to be there that was calling home—not to Supermicro but to China.” In total, Businessweek cited executives from 10 companies and one representing a “large municipal utility” who said they received similar warnings.
Supermicro said in a statement that it has never been contacted by government officials about claims of China tampering with its motherboards and called the story “a mishmash of disparate and inaccurate allegations” that draws “far-fetched conclusions.”
“Despite Bloomberg’s allegations about supposed cyber or national security investigations that date back 10 years, Supermicro has never been contacted by the U.S. government, or by any of our partners or customers, about these alleged investigations,” the statement reads. “Bloomberg has produced no conclusions from these alleged investigations. Nor could Bloomberg confirm to us if any alleged investigation was even ongoing. To the contrary, several of the U.S. government agencies Bloomberg claims had initiated investigations continue to use our products and have done so for years.”
China also denied the report’s accuracy, with a spokesperson saying the country’s government “has never and will never require enterprises or individuals to collect or provide data, information and intelligence from other countries for the Chinese government by installing ‘back doors.’”
Critics of Businessweek’s reporting were quick to dissect the latest report in an attempt to punch holes in it. The primary complaint is that it lacks hard evidence and is instead based largely on anonymous sources whose claims cannot be fact-checked by third parties—a common complaint against reports based on unnamed sources. The report also weaves together claims of software intrusions with allegations of secret spy chips that are, at best, confusing.
Ultimately, what you think of the two reports comes down to who you trust. That Businessweek relied primarily on anonymous sources and largely lacks documents or other hard evidence of their claims isn’t unusual for a story about a major national security issue—it can be easier, to a degree, to get government sources to talk than to leak sensitive documents. And the use of anonymous sources alone isn’t necessarily a reason to doubt the reporting. But there’s still the powerful wave of denials following the initial story that make it difficult to put faith in the reporting alone. Then there’s the fact that the original story appeared to include photos of the actual chip, which it did not. (You had to read and decipher the fine print to know the chip pictured for the article was a similar-looking component.)
Perhaps if they ever get their mitts on the actual chip—and can prove so with documented evidence—we can stop debating whether to believe these reports and start worrying about what their findings mean.