Chinese Super Micro ‘spy chip’ story gets even more strange as everyone doubles down
Bloomberg puts out related story while security experts cast doubt on research and quotes
The veracity of a bombshell yarn claiming Chinese agents managed to sneak spy chips into Super Micro servers used by Amazon, Apple and the US government is still being fiercely argued over five days after publication.
On Tuesday, the media outlet behind the claims, Bloomberg, responded to growing criticism of its report by publishing a new, related story about how a “major US telecommunications company” discovered a similar hardware hack in components from the computer manufacturer at the center of the story, Super Micro.
That latest piece comes after one of the experts in the original story gave an interview in which he expressed his concern about the finished piece and questioned whether Bloomberg had done sufficient fact checking before publishing.
The new article also comes in the wake of a second, even stronger denial of the key elements of the story by Apple – sent to US Congress committees – as well as statements from the intelligence wings of both the UK and US governments that push the idea that Bloomberg may have made a serious reporting mistake.
With clear and increasingly firm stances that stand in complete opposition to one another, security experts remain undecided as to whether the story is largely correct and China did insert spy chips into Super Micro motherboards; or whether the journalists behind the story wrongly extrapolated information and ended up publishing something incorrect.
Faced with such uncertainty, some are reaching for a unifying explanation: that Bloomberg was misled by some in the intelligence community that wish, for their own reasons, to raise the specter of Chinese interference in the global electronics supply chain. Bloomberg could be accurately reporting an intelligence misinformation campaign.
Another expert, another report
In its most recent story, Bloomberg claims to have seen “documents, analysis and other evidence” of Chinese interference: in this case “manipulated hardware” stemming from Super Micro that was discovered in the network of a large US telecoms company and pulled out in August.
The source of that report is named: Yossi Appleboum, CEO of security specialists Sepio Systems. Appleboum claims to have discovered “unusual communications” coming from a Super Micro server that was part of a data center audit ordered by the unnamed company.
Physical inspection of that board revealed “an implant built into the server’s Ethernet connector,” Appleboum says. Bloomberg knows the company affected but has chosen not to name it because of a non-disclosure agreement signed between Sepio Systems and the company in question.
While Bloomberg notes that the Ethernet implant “is different from the one described in the Bloomberg Businessweek report last week,” it argues that it shares “key characteristics” including the fact that the alteration was made at a Super Micro factory and it was designed to be invisible while extracting data.
The conclusion that the impact was introduced at the factory in China was reached by Appleboum, he claims. But notably he goes on to state that “he was told by Western intelligence contacts that the device was made at a Super Micro subcontractor factory in Guangzhou, a port city in southeastern China.”
Appleboum make a series of other interesting statements, including that the Sepio team had seen similar variations of the implant in other motherboards made in China, and that he had been informed by intelligence agents from other countries that they had been tracking the manipulation of Super Micro hardware for some time.
You know nothing, DHS
Bloomberg used the report to push back against a statement from the US Department of Homeland Security (DHS) in which it said it had “no reason to doubt” denials of its spy-chip original story. Bloomberg insists that there was an FBI investigation of the issue, but that it was run by the organization’s “cyber and counterintelligence teams, and that DHS may not have been involved.”
In other words, Bloomberg – seemingly surprised by the forceful denials of its story – is arguing that only a small group of people were aware of the investigations it wrote about and so claims of inaccuracy may come from people who simply do not know about them.
All of which is to say: after five days of fierce scrutiny, no one is any the wiser as to whether the story is true or not. We will have to see what this week brings.