In what may be one of the boldest examples of hardware hacking by a nation to ever be publicly reported, microchips “not much bigger than a grain of rice” were discovered on motherboards used in servers by approximately 30 US companies, including those who provide services to US government organizations, including the Department of Defense.
The tiny devices, according to a report by Bloomberg, can siphon data off of the server as well as allow new code, like a Trojan Horse, to be inserted onto the server.
The Bloomberg report states that Amazon initially discovered the chip in systems created for Elemental Technologies, a company Amazon acquired in 2015, when the microchips were determined not to be part of the original design of the component. The servers featured motherboards by Super Micro Computer Inc., commonly referred to as Supermicro, one of the largest server motherboard suppliers in the world.
Apple also reportedly made a similar discovery during an internal review of some data center servers.
Supermicro commonly contracted out its motherboard manufacturing to China. Bloomberg asserts that China’s armed forces required the microchips to be added for servers designed for US customers.
While there’s no direct evidence that data was either stolen, damaged, or otherwise compromised, the microchip was reportedly present on servers used by a variety of US government organizations.
The Bloomberg report stated that Elemental servers “could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships.”
Along with Amazon and Apple, around 30 other US companies were also said to be affected by the hardware-based attack, including various government contractors and a major bank.
While both Amazon and Apple refute the story, both companies have previously severed relationships with or distanced themselves from, Supermicro, citing “vulnerabilities” in software provided by Supermicro and an unrelated security incident, respectively.
Facebook also reportedly removed servers from its data centers after identifying malware in Supermicro’s software.
Bloomberg’s report has not been confirmed by intelligence sources willing to go on the record.
According to the publication, an investigation by the US intelligence community began three years ago and is still ongoing.