US, UK Security Services Deny Knowledge Of China Server Hack Probe

Matthew Broersma,

NCSC and the US’ Department of Homeland Security both say they support denials by Apple, Amazon and Super Micro as mystery grows around China’s alleged hack of manufacturing supply chain

The mystery has grown around an alleged Chinese campaign of infiltrating the supply chain of a popular server maker, after security agencies in the UK and the US denied knowledge of the claims.

Bloomberg reported last week that tiny microchips had been built into servers made by US-based Super Micro, which manufactured the servers at sites in China.

The servers were allegedly used by major companies including Apple and Amazon, as well as US government contractors.

The media group cited some 17 unnamed sources within the US government and the companies involved to support its report.

The NCSC’s headquarters in Victoria. Image credit: NCSC

Infiltration?

But it provided no way for companies to verify its claims or to examine their own Super Micro servers for the malicious chip, which was said to be the size of a grain of rice.

Security experts said successfully infiltrating the manufacturing supply chain in the way reported would be next to impossible, and Apple and Amazon both provided detailed statements refuting the claims, which were also denied by Super Micro and the Chinese government.

The report followed years of allegations by governments in the US and elsewhere that China’s dominance of high-tech manufacturing could lead to national security issues in areas such as telecommunications networks.

Over the weekend, the UK’s National Cyber Security Centre (NCSC) and the US’ Department of Homeland Security (DHS) both issued statements in support of Apple and Amazon’s AWS cloud unit.

“We are aware of the media reports but at this stage have no reason to doubt the detailed assessments made by AWS and Apple,” the NCSC, which operates under the auspices of GCHQ, said on Friday.

“The NCSC engages confidentially with security researchers and urges anybody with credible intelligence about these reports to contact us.”

Hostility

On Saturday, the DHS said: “Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story.”

Reuters on Friday cited Apple’s recently retired general counsel, Bruce Sewell, as saying he contacted the FBI’s then-general counsel James Baker about the issue in 2017 after being contacted by Bloomberg about the issue, which Bloomberg said was the subject of an ongoing government investigation.

“I got on the phone with him personally and said, ‘Do you know anything about this?” Sewell was quoted as saying.  “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and said ‘Nobody here knows what this story is about.’”

The head of Taiwan’s military cyber warfare operations said the allegations could lead to changes in tech manufacturing practices.

“If this all gets dragged out into daylight, we will see a commercial storm,” Major General Ma Ying-han, commander of Taiwan’s electronic warfare command, told the Financial Times on Monday, without providing any additional evidence in support of Bloomberg’s report. Taiwan is politically hostile to the Chinese mainland.

The US and China are currently engaged in an increasingly bitter trade dispute that has affected the importation of tech products, amongst others.