At least two Australian government agencies held contracts for hardware from Supermicro, a company whose technology was allegedly infiltrated by malicious computer chips.
A report in Bloomberg Businessweek claims Chinese government operatives installed tiny spy chips in Supermicro server motherboards, which it says were then used by Apple, Amazon, the US government, banks and others.
Supermicro, Apple and Amazon strongly deny the allegations.
Tender documents show both Australia’s Department of Defence and Bureau of Meteorology were supplied with Supermicro technology.
It is unclear yet whether these contracts involved any of the affected motherboards, or whether technology was supplied from any of the four subcontracting factories in China, where the chips were allegedly added.
Defence contracts for Supermicro hardware stretch back to at least 2007. Between 2016 and mid-2018, those contracts covered servers and other technology worth more than $200,000.
Whether the chips reached servers outside America also remains unknown: an official told Bloomberg the supply chain attack affected “almost 30 [American] companies, including a major bank, government contractors … and Apple”.
According to the report, the surveillance chip, “not much bigger than a grain of rice”, was discovered in 2015 by an unnamed security company and remains the subject of ongoing investigations.
Allegations raise supply chain concerns
The report comes as concerns grow globally about the security of technology supply chains for smartphones, servers and computer parts, particularly those dominated by Chinese factories.
Bloomberg Businessweek cited 17 unidentified intelligence and company sources who outlined how Chinese government operatives placed computer chips in the equipment during the manufacturing process, giving Beijing remote access to internal networks.
Fergus Hanson, the head of the Australian Strategic Policy Institute’s International Cyber Policy Centre, said in many ways the allegations were unsurprising.
He pointed out China has access to — and control of — important parts of the global manufacturing supply chain.
“It’s logical it would try to use that to its advantage,” he said.
“It speaks to the broader challenge: that we need to start looking at sensitive supply chains much more closely.”
In August, the Federal Government banned Chinese-owned technology company Huawei from taking part in the rollout of 5G mobile infrastructure over national security concerns.
Chinese law requires organisations to support, assist and cooperate with intelligence work, which analysts say can make Huawei’s equipment a vulnerable access point for espionage.
Huawei’s Australian arm denies it is controlled by Beijing.
Apple, Amazon and Supermicro dispute the report
Edward Farrell, an Australian cybersecurity researcher, said it was was technologically feasible to add a “backdoor” to hardware, as described in the Bloomberg report.
In his view, however, the story raises more questions than answers.
The report suggests China engaged in “dragnet” surveillance, he said — attempting to target multiple companies and entities at once by installing chips.
“Backdooring hardware to this degree historically has been an expensive exercise, and countries aren’t going to reveal their capability in this space unless the juice is worth the squeeze,” he said.
“The more you employ a capability such as backdooring hardware, the higher the likelihood that that capability is going to get detected.
“Does this tell us this is now an easy capability for Chinese intelligence, if it is true? Or does it indicate it’s something they’re willing to burn for some sort of intelligence gathering.”
In a statement to Bloomberg, Amazon said: “We’ve found no evidence to support claims of malicious chips or hardware modifications.”
Apple said it had never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server.
“Apple never had any contact with the FBI or any other agency about such an incident,” the company stated on its website.
China’s Ministry of Foreign Affairs said it was a “resolute defender of cybersecurity”.
“Supply chain safety in cyberspace is an issue of common concern, and China is also a victim,” it said.
The Department of Defence, the Bureau of Meteorology and Supermicro have been contacted for comment.