New evidence of Chinese tampering with Supermicro hardware found in US telecoms company

A security expert has provided evidence that reveals how China’s intelligence services had ordered subcontractors to plant malicious chips in server motherboards
Bloomberg News

A major American telecommunications company discovered manipulated hardware from Super Micro Computer (Supermicro) in its network and removed it in August – fresh evidence of China tampering in critical technology components bound for the US, a security expert working for the company has said.
The expert, Yossi Appleboum, provided documents, analysis and other evidence of the discovery that detailed how China’s intelligence services had ordered subcontractors to plant malicious chips in Supermicro server motherboards over a two-year period ending in 2015.
Appleboum previously worked in the technology unit of the Israeli Army Intelligence Corps and is now co-chief executive officer of Sepio Systems in Gaithersburg, Maryland.

His firm specialises in hardware security and was hired to scan several large data centres belonging to the telecommunications company. 

The company is not being identified because of Appleboum’s nondisclosure agreement with the client.

Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server’s Ethernet connector, a component that’s used to attach network cables to the computer, Appleboum said. 

He said he has seen similar manipulations of different vendors’ computer hardware made by contractors in China, not just products from Supermicro.
Appleboum said his concern was that there are countless points in the supply chain in China where manipulations could be introduced, and deducing them can in many cases be impossible. 

“That’s the problem with the Chinese supply chain,” he said.
Headquartered in San Jose, California, Supermicro was founded in 1993 by Taiwanese-American Charles Liang. 

Bloomberg News first contacted Supermicro for comment on this story on Monday morning Eastern time and gave the company 24 hours to respond.
Supermicro said after a Bloomberg BusinessWeek report last week that it “strongly refutes” reports that servers it sold to customers contained malicious microchips. 

China’s embassy in Washington did not return a request for comment on Monday.
Chinese mole or Trojan horse: Charles Liang opened gates to Chinese intelligence services.

In response to the earlier Bloomberg BusinessWeek investigation, China’s Ministry of Foreign Affairs didn’t directly address questions about the manipulation of Supermicro servers but said supply chain security was “an issue of common concern”.
The more recent manipulation is different from the one described in the report last week, but it shares key characteristics: They’re both designed to give attackers invisible access to data on a computer network in which the server is installed, and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China.
Based on his inspection of the device, Appleboum determined that the telecoms company’s server was modified at the factory where it was manufactured. 

He said that he was told by Western intelligence contacts that the device was made at a Supermicro subcontractor factory in Guangzhou, a port city in southeastern China.
Guangzhou is 90 miles upstream from Shenzhen, called the “Silicon Valley of Hardware”, and home to giants such as Tencent Holdings and Huawei Technologies.
The tampered hardware was found in a facility that had large numbers of Supermicro servers, and the telecommunications company’s technicians couldn’t answer what kind of data was pulsing through the infected one, said Appleboum, who accompanied them for a visual inspection of the machine.

It’s not clear if the telecommunications company contacted the FBI about the discovery. 

An FBI spokeswoman declined to comment on whether it was aware of the finding.
Representatives for AT&T and Verizon had no immediate comment on whether the malicious component was found in one of their servers. 

T-Mobile US and Sprint didn’t immediately respond to requests for comment.
Sepio Systems’ board includes Chairman Tamir Pardo, former director of the Israeli Mossad, the national defence agency of Israel, and its advisory board includes Robert Bigman, former chief information security officer of the US Central Intelligence Agency.
US communications networks are an important target of Chinese intelligence agencies because data from millions of mobile phones, computers, and other devices pass through their systems. 

Hardware implants are key tools used to create covert openings into those networks, perform reconnaissance and hunt for corporate intellectual property or government secrets.
In emails, Appleboum and his team refer to the implant as their “old friend” because he said they had previously seen several variations in investigations of hardware made by other companies manufacturing in China.

In Bloomberg Businessweek’s report, one official said investigators found that the Chinese infiltration through Supermicro reached almost 30 companies, including Amazon and Apple.
People familiar with the federal investigation into the 2014-2015 attacks say that it is being led by the FBI’s cyber and counter-intelligence teams, and that the Homeland Security Department may not have been involved.
Counter-intelligence investigations are among the FBI’s most closely held, and few officials and agencies outside those units are briefed on the existence of those investigations.
Appleboum said that he had consulted intelligence agencies outside the US and that they told him they had been tracking the manipulation of Supermicro hardware, and the hardware of other companies, for some time.

China pencil-tip spy chip's ultimate market risk: The profits built on big tech's low-cost global supply chain

• China slipped pencil tip–size spy chips into computer hardware made by an Amazon and Apple supplier, Super Micro, which itself relied on subcontractors in China.
• The biggest U.S. tech companies have led the stock market based on profit models that rely on manufacturing of components in China.
• Famed hedge fund manager David Einhorn said he sold all of his Apple stock on fears of more Chinese retaliation to the trade war.

By Edward McKinley

A report on Thursday that the Chinese government snuck a pencil tip–size spy chip into equipment from an Amazon and Apple component supplier called Super Micro was explosive, but experts say it isn't surprising: U.S. technology CEOs have been concerned about the risk of Chinese cyberespionage for years.
Bloomberg reported that the tiny pieces in American products were manufactured in China and then brought back to the United States, allowing the Chinese government to access secret information from major American tech corporations.
Apple, Amazon, Super Micro and the Chinese government each categorically denied the allegations in the Bloomberg story, but experts say the headline may influence an already tense trade war between the United States and China, at a time when President Donald Trump is broadening a definition of national security to stress the importance of domestic manufacturing.

Visitors walking past stands, including the Super Micro booth, during the Computex Taipei 2014 expo in Taiwan, June 3, 2014.

"It's just another chapter in the book of cybersecurity worries that have come from China," said Dan Ives, managing director of equity research for Wedbush Securities. 

"And I think it keeps a lot of U.S. tech CEOs up at night."
The risks to U.S. tech companies from Chinese cyberespionage have accelerated. 

Tech companies from both countries have been pitted against one another, as an enormous amount of American technology is produced in China due to the cheap costs, Ives said, and competition over who will cash in on the technology of tomorrow — in particular, artificial intelligence — is extremely fierce. 

Security concerns are virtually promised to be an issue for many years to come.
Tom Kellermann, chief cybersecurity officer of the security firm Carbon Black and the former commissioner of Barack Obama's cybersecurity council, told NBC News on Thursday that the Bloomberg article is a small example of China's larger efforts to spy on and disrupt U.S. businesses.
Kellermann said his firm has tracked a threefold increase in destructive cyberattacks coming from China, pushing it past Russia over the summer to be the most active adversary targeting U.S. companies.
Apple, the most profitable company in the world and the first to reach a $1 trillion market cap, like many technology companies has built its business model around a complex global supply chain that includes Chinese manufacturers.
"Look, this is a game of high-stakes poker between the U.S. and China, and this is just another card that's been dealt in this game," Ives said. 

"Wall Street believes the story has credibility, and it has fanned the flames of worry around China hacking the U.S. tech giants, which have a clear bulls-eye on their back, given this threat environment."

"This is a tough situation, because big corporations are never going to admit it. It would be more surprising if the Chinese didn't try to do something like this than if they did."

Derek Scissors, resident scholar and China expert, American Enterprise Institute.

'A tough situation'
China and the United States have competed for years economically, and China is expected to pass the United States in GDP in the coming years to become the world's largest economy. 

An escalating trade war is being fought between the two countries as President Trump wants to eliminate America's trade deficit. 

Further fueling the feud is a deep divide between how China and the United States think about the relationships between government, national security and economic security, said Derek Scissors, resident scholar and China expert at the conservative think tank American Enterprise Institute.
Scissors said he couldn't vouch for the specific details in the Bloomberg report, but it is consistent with the general concerns he has been hearing about for some time. 

"This is a tough situation, because big corporations are never going to admit it," he said, adding, 

"It would be more surprising if the Chinese didn't try to do something like this than if they did."
The American Enterprise Institute China expert said he spoke with administration officials in November 2016 during discussions about the start of an investigation of China's policies for tech transfer and intellectual property, called a Section 301 investigation, and attendees specifically brought up the threat of China using the supply chain to steal trade secrets from American tech companies or importers. 

Chinese trade-secret theft is not new, he said, but the methods outlined in the Bloomberg piece are, though it makes sense, as Chinese methods are growing more complex over time.
"The fundamental clash here between the U.S. and China comes from the fact that China is not a market economy," Scissors said.
The United States draws a sharp distinction between government and business interests, and its people are often deeply skeptical of Uncle Sam interfering with corporations. 

Historically, Scissors said, the United States has looked at national and economic security as separate domains, and there's no incentive or even mechanism by which the government would take action to help American businesses or hurt foreign competitors.
"We've always thought if you're spying on their government or their military, that's normal, but spying on their companies — oh, that's cheating," Scissors said.
For China, on the other hand, anything goes.
"Their government works hand in hand with their companies all the time," he said. 

"That's absolutely standard practice in China, and it would be bizarre if they didn't do that."

Specific examples of China spying on U.S. companies rarely become public knowledge, because corporations are worried if they acknowledge them, it will hurt their stock prices, Scissors said, adding that even so, this kind of thing happens regularly.
Shares of Super Micro, which has been trading as an over-the-counter stock since it was delisted in late August for failing to file financial reports, were down by close to 50 percent on Thursday. 

Apple and Amazon were both down sharply on Thursday, though their losses came amid a broad U.S. tech sector sell-off of around 2 percent, and higher Treasury yields were cited as a reason for a risk-off day in the stock market. 

J.P. Morgan released a report predicting a full-on trade war between the U.S. and China was its base-case scenario for 2019, though it predicted dire consequences for China's stock market.
Tech stocks continued to lead stock losses on Friday in another down day for the markets as rates ticked up again. 

Famed hedge fund manager David Einhorn said on Friday that he'd sold all of his Apple stock based on fears China would retaliate more against U.S. as a result of the trade war.
Because of the ties between Chinese government and the country's businesses, the world's most populous country sees no difference between what's good for Chinese businesses and what's in the interest of Chinese national security, Scissors said. 

China sets out to damage foreign corporations not because they're American, but just because they're competing against Chinese companies. 

Using the military or intelligence services to spy on private companies is totally acceptable in their view. 

Furthermore, many Chinese people are deeply suspicious of the United States and think imported American products already spy on them, so many see it as just desserts.
America's longstanding norms of separation seem to be thawing, as the Trump administration is inching toward China's approach by slapping tariffs on foreign steel and cars saying it is in America's national security interest.

Either way, the U.S. is still nowhere close to China's total singularity of the two domains, he added.
Within the past two years, the Trump administration also has been preceding on several fronts specifically to protect against Chinese technology threats, with multiple investigations about Chinese intellectual property abuses through the Committee on Foreign Investment in the U.S., known as CFIUS, and at the highest levels of U.S. government, warnings have been issued to American consumers about buying smartphones from two of China's largest cell phone makers, ZTE and Huawei.
The threat that ZTE, viewed by some skeptics as an arm of the Chinese government, could build key future telecom infrastructure in the U.S. has been a concern for years. 

ZTE was on the verge of bankruptcy earlier this year based on U.S. policy moves to bar it from the market, until Trump personally stepped in to alleviate some pressure. 

The Trump administration blocked a merger between Broadcom and Qualcomm, citing national security and the companies' role in the rollout of key 5G telecom technology.
"So yes. We have taken a step in China's direction, and people complain about that both here and around the world, but there's a giant gap remaining," Scissors said. 

"The CIA and military are absolutely not going to take action to spy on Chinese companies for the sake of American companies. But the Chinese absolutely are."

How the US will respond
Experts expect responses to come from two levels: the government in the short run and businesses in the long run.
For the government, "This is a ready-made excuse on a platter to say, 'We need to do X' because look at the terrible things the Chinese are doing," Scissors said. 

"If the president gets angry, we could have more tariffs tomorrow, but I don't think we'll see that before the midterms."
"The thing is, you're running out of space to hurt the Chinese economically without hurting the U.S., too. You can hurt the Chinese more, but the thing is people don't vote on that. They don't say, 'Well, he hurt me economically but he hurt the Chinese more,'" Scissors said.
On Thursday night Vice President Mike Pence delivered a highly critical speech about China and its efforts to undermine President Trump, which immediately led to recriminations from Chinese officials.
There are two non-tariff steps that Scissor thinks are likely instead. 

The first addresses the problem externally by imposing export controls on American businesses that work in China, which is a "very obvious response to this event," while the second works domestically.
"There will be people who want to throw a lot of Chinese workers and students out of the country. I'm not saying that's going to happen, I'm definitely not saying it's a good thing, but there's people in the administration that want to do that, and I think this just made it more likely."
Besides government action, Ives said, tech companies are also likely to take action to protect themselves.
The cost of manufacturing in China is so much less than in the United States that companies are forced to deal with the risk of espionage, Ives said, but as the cyber risk grows, it may change the calculus.
"The whole food chain is built on that premise, and that's what makes it so much more complex than moving a facility from Beijing to Middle America," Ives said. 

"In the near term that's almost an impossibility that it would shift, but over the medium term you'll actually see more manufacturing in the U.S. as a result of a concerted effort," Ives said.
As the cyberespionage fight heats up and President Trump's trade war looks likely to increase, there seems to be no doubt that the world's two largest economies have more conflict to come.
"If you look at U.S. and China tech and then throw 5G in it — look, it's going to be like an MMA battle in the coming years," Ives said.