Chinese data theft: Apple and Amazon are among U.S. companies and agencies who have had data stolen by Chinese computer chips attached to server circuit boards made by a company called Super Micro Computer.
The servers had been compromised during the manufacturing process and the chips activated once they were installed and running, reported the news agency.
Apple released a strongly worded statement stating it had found “no evidence” to support the allegations of Chinese data theft, with Amazon and Super Micro also denying Bloomberg’s claims.
Bloomberg said its reporters had uncovered evidence of the wide-ranging espionage after a year-long investigation, and claimed the chips had given China access to 30 large companies and many federal agencies.
Bloomberg said the first details about the spying campaign emerged during security testing carried out by Amazon back in 2015, before it began using servers from US company Elemental, which had been manufactured by Super Micro Computer at plants in China.
It then claims this discovery then kicked off a long-running “top-secret probe” by US intelligence agencies, which found compromised servers in Department of Defence data centres, handling data gathered by drones and even onboard warships.
Many major U.S. banks were also reported to have been using Super Micro Computer hardware.
In response to today’s news that China has allegedly implanted small spy chips onto motherboards, which are installed in highly-sensitive US organisations, Kurt Baumgartner, principal security researcher at security solutions provider, Kaspersky Lab, said: “Any alleged compromise of the hardware supply chain is a worrying event. Big companies such as Facebook and Amazon design their own hardware because they use so much of it, so it would make sense that they would be the ones to find anything, and it is important that such companies keep examining their platforms.
“The incident reported in the media highlights how stealthy an attack using tiny, carefully crafted and hidden chips could be. They could potentially alter the operating system or reduce overall security, for example by weakening encryption schemes, or raising privileges and access. There is a lot at stake: personal and corporate communications, IP, customer data, and more.
“However, sooner or later, the chip would have to phone home, and it is when communicating with the attacker’s command and control system that undiscovered threats are often most vulnerable. A defender looking at network traffic suddenly spots the anomaly.
“This is a big problem for threat actors, but it helps the security industry. Security companies have warned about a rise in supply chain attacks for a while now, and it is an area organisations need to be very alert to. Even things such as USB sticks still need checking for irregular traffic as they continue to be actively used to spread infection.”