A special report by Bloomberg describes a coordinated campaign by the Chinese to install spyware in the form of tiny microchips secreted away in the equipment manufactured on the mainland for major American tech companies like Amazon
According to the report, the story begins in 2015, Amazon started to evaluate a startup called Elemental Technologies. Amazon thought this Portland, Oregon-based company, which specialized in compressing video files and formatting them for mobile and desktop devices, would be able to help expand its video streaming service - what later became Amazon Prime Video. Elemental was considered a strong candidate because it had contracts with national security, having helped the US government with projects for NASA, the CIA, and the Department of Defense.
Elemental provided its services through pricey servers its customers installed in their networks to handle videos. These servers were manufactured by Super Micro Computer Inc. (OTCMKTS: SMCI), also known as Supermicro. As part of its evaluation of Elemental, Amazon ran an audit of these servers. Inside, they found microchips attached to motherboards that weren't accounted for in the original server designs.
Amazon then alerted US authorities, who began a top-secret investigation. As a result of that investigation, they found that a) the chips were installed in factories run by subcontractors in China, and b) that those chips allowed attackers from the Chinese military to infiltrate both the US government and an estimated 30 Supermicro clients - including Apple, though Apple terminated its relationship with Supermicro for unrelated reasons in 2015 - as part of a long-term scheme to access valuable corporate and national security secrets. There is no evidence that any consumer data was compromised.
Amazon, Apple, Supermicro, and the Chinese government have all denied that they were aware of, or, to their knowledge, impacted by, any "supply chain compromise, an issue with malicious chips, or hardware modifications." Bloomberg says that its sources - six current and former national security officials, as well as multiple former Amazon Web Services and Apple employees familiar with the matter, for a total of 17 individuals - refute these denials. Yet a few days after the release of Bloomberg's report, the Department of Homeland Security issued a public statement that in effect supported Amazon and Apple, saying that there was "no reason to doubt" the companies. While Bloomberg has stood by the story, the truth of what occurred is still unclear.
If Bloomberg's report is accurate, it's unknown what China was able to access, or what it did with any information it did access. Still, the report presents such supply chain attacks as a largely unexplored threat to cybersecurity, with no commercially viable methods of detection yet available.
