While the 2018 story claimed that these servers had been supplied to well-known companies like Apple and Amazon, this time the claims, made by the same two reporters, Jordan Robertson and Michael Riley, are that the tampering was in servers supplied to government agencies in the main.
There are two things in common to the allegations made: China and Super Micro Computer, a computer hardware maker in San Jose, California. If Robertson and Jordan are to be believed, then American law enforcement authorities have been investigating these incidents from 2010 onwards, but have maintained a studious silence.
I'm starting to think Bloomberg is paid by hedge fund shorting stocks https://t.co/m61qSLdWa8— Matt Suiche (@msuiche) February 13, 2021
As Bloomberg put it, all the instances "shared one other trait; US spymasters discovered the manipulations, but kept them largely secret as they tried to counter each one and learn more about China’s capabilities".
This time, a couple of sources are named, but they speak in generalisations, rather than specifics. For instance, Jay Tabb, a former executive assistant director of the FBI’s national security branch from 2018 to January 2020, was quoted as saying:
"Supermicro is the perfect illustration of how susceptible American companies are to potential nefarious tampering of any products they choose to have manufactured in China. It’s an example of the worst-case scenario if you don’t have complete supervision over where your devices are manufactured.”
“Yes, but was there ever a Supermicro grain'o'rice chip?” “Listen, that’s not really the issue! Maybe it was, maybe not, we will never know! But! Listen, the real issue here is China!”— Costin Raiu (@craiu) February 12, 2021
But at the same time, Bloomberg wrote that neither Supermicro nor its employees had even been accused of wrongful acts and the anonymous officials who were cited as sources said the company had not been targeted in any counter-intelligence investigation.
Supermicro's response to the story got little airtime, with a link provided to the whole reply. It says: "Bloomberg’s story, as they have characterised it to us, is a mish-mash of disparate and inaccurate allegations that date back many years. It draws far-fetched conclusions that once again don’t withstand scrutiny.
"Despite Bloomberg’s allegations about supposed cyber or national security investigations that date back 10 years, Supermicro has never been contacted by the US Government, or by any of our partners or customers, about these alleged investigations.
"Bloomberg has produced no conclusions from these alleged investigations. Nor could Bloomberg confirm to us if any alleged investigation was even ongoing.
"To the contrary, several of the US Government agencies Bloomberg claims had initiated investigations continue to use our products and have done so for years.
Only comment I plan to make on the Bloomberg SuperMicro story part 2:— Robert M. Lee (@RobertMLee) February 12, 2021
- it’s an insanely sensational claim
- no evidence has ever been presented
- the specific journalists have routinely shown they struggle on technical details
- the burden of proof is on the journalists
"Bloomberg continues to attempt to revive its false and widely discredited 2018 story. In response to those allegations, we have never found any malicious chips, even after engaging a third-party security firm to conduct an independent investigation on our products.
"Nor have we been informed by any customer or government agency that such chips have ever been found. In 2018, several public and private sector officials rebutted the story on the record."
The two reporters claim to have spoken to 50 people from law enforcement, the military, Congress, intelligence agencies and the private sector for the new story but "most asked not to be named in order to share sensitive information. Some details were confirmed in corporate documents Bloomberg News reviewed".
Often the claims are second- and third-hand. For example, Mike Janke, a former Navy SEAL who co-founded DataTribe, a venture capital firm, spoke of personnel from two companies he advises telling him of being briefed by FBI staff who were investigating the addition of chips to Supermicro mainboards.
A few years ago, Robertson and Riley put out a story, claiming that the US Government had prior knowledge of the Heartbleed bug, a serious vulnerability in OpenSSL, before it was announced. Bloomberg did not issue a follow-up after the story was denied.
Barely a week since the "Russians can invert hash functions with quantum computers", and Bloomberg are at it again. The one source they dismissed is the one they probably should have listened to, "[Bloomberg has assembled] a mishmash of disparate and inaccurate allegations". https://t.co/0rCIiFFGnx— Tavis Ormandy (@taviso) February 12, 2021
Supermicro was founded by a Taiwanese immigrant to the US, Charles Liang. Most of the company's hardware is made in China – as is the case with most technology companies in the US.
The Bloomberg report also claims that laptops made by Lenovo and being used by US troops that invaded Iraq had altered hardware, information that was taken from a court document.
But the company was not told about this, with spokeswoman Charlotte West telling Robertson and Riley that US officials had investigated Lenovo's background and trustworthiness while a review was being conducted in 2014 when Lenovo wanted to acquire businesses owned by IBM and Google. Both acquisitions were waved through.
Anonymous officials were again cited in an alleged case of Supermicro servers exhibiting unusual behaviour in Pentagon networks. "Investigators attributed the rogue code to China’s intelligence agencies, the officials said. A former senior Pentagon official said there was 'no ambiguity' in that attribution," the report said.
But again, this was kept quiet because the US wanted to find out why this spying was done. This nugget of information was attributed to three officials who said the NSA director at the time, Keith Alexander, was chiefly responsible for the decision to stay quiet. When a spokesman for Alexander was approached, he referred the questions to the NSA which, as it normally does, refused to confirm anything.
The code that was causing issues in the Pentagon case was identified as being part of the BIOS, which anonymous officials, who were briefed about the findings, said had been determined as being put in there by Supermicro personnel.
The report says that in 2014, malicious chips were found on Supermicro motherboards, with the information again credited to officials who were briefed between 2014 and 2017.
"It remains unclear how many companies were affected by the added-chip attack. Bloomberg’s 2018 story cited one official who put the number at almost 30, but no customer has acknowledged finding malicious chips on Supermicro motherboards," Robertson and Riley wrote.
The report also claimed that a security breach in Intel's networks was through a firmware updated downloaded from Supermicro's website. An Intel spokeswoman said the incident was detected early and caused no data loss.