Nearly three years ago, Bloomberg Businessweek made a bombshell allegation: That the Chinese state had infiltrated server manufacturer Supermicro, adding tiny chips to its motherboards that ended up in US government and cloud company data centers. This, they said, allowed unprecedented access to an adversary state.
Supermicro's share price cratered on the claim, but quickly returned as virtually every company mentioned in the piece denied the allegation, as did all major security agencies.
Now, after years of silence, Bloomberg has published another article standing by its claims - and expanding upon them further. Supermicro continues to deny the allegations.
Show us the chips
The publication's 2018 feature alleged that rice grain-sized chips were discovered on Supermicro servers by Amazon when it considered acquiring Elemental Technologies.
After Amazon informed the FBI, Apple also found a chip, Bloomberg claimed. It quickly removed all Supermicro servers from its data centers.
Both companies admitted their relationship had come to an end, but forcefully disputed the reason. Apple went on to write a letter to the US Congress denying the story, while CEO Tim Cook and AWS CEO Andy Jassy called for Bloomberg to retract the article. "It is 100 percent a lie, there is no truth to it," Cook said at the time.
Supermicro hired a third-party investigations firm, Nardello & Co, to examine the veracity of the report, but it was unable to find any evidence supporting Bloomberg's claims. The US Department of Homeland Security also disputed the claim, while the NSA said it was “befuddled” by the article.
Following the article, Supermicro moved manufacturing out of China, due to customer concerns from the reporting, but continued to deny it. Bloomberg said that it stood by the article, but did not provide any other updates. The two journalists named in the article did not have any more bylines for months.
Now the same journalists have returned with a new, deeper report. It looks at a wider history of alleged tampering of Supermicro motherboards.
The article alleges the Department of Defense found that thousands of its servers were sending network data to China due to secret chips on Supermicro motherboards way back in 2010. A similar incident happened in 2014 with Intel.
The FBI reportedly launched a probe in 2012, monitoring a small group of Supermicro employees. It is not known if the probe is ongoing.
Government agencies declined to comment on the report or its claims, but Bloomberg quotes several tech employees who say they were briefed by the FBI, as well as a former NASA CIO.
Intel is still a major Supermicro customer, but others appear to have shifted from them - although in the case of cloud providers, this may be more due to market realities as they have embraced low-cost ODM server manufacturers.
One cybersecurity exec, who previously worked at Cisco and Microsoft, told Bloomberg that the US Air Force briefed him about the chip.
“This wasn’t a case of a guy stealing a board and soldering a chip on in his hotel room; it was architected onto the final device,” he said, declining to reveal which company he worked for at the time.
Bloomberg alleges the US government took steps to isolate Supermicro servers from classified networks, but in many cases left them unaltered to not alert the Chinese government that they were onto them. Before showing their hand, US officials first wanted to discover what the hackers' aims were.
Supermicro has not itself been accused of any wrongdoing. Instead, the working theory is that the Chinese government infiltrated the company, or one of its manufacturing partners, to add the chips without its knowledge.
"Bloomberg’s story, as they have characterized it to us, is a mishmash of disparate and inaccurate allegations that date back many years," Supermicro said in a statement following the latest article.
"It draws farfetched conclusions that once again don’t withstand scrutiny. Despite Bloomberg’s allegations about supposed cyber or national security investigations that date back 10 years, Supermicro has never been contacted by the US government, or by any of our partners or customers, about these alleged investigations. Bloomberg has produced no conclusions from these alleged investigations. Nor could Bloomberg confirm to us if any alleged investigation was even ongoing. To the contrary, several of the US government agencies Bloomberg claims had initiated investigations continue to use our products and have done so for years."