The tiny chips, as small as the tip of a sharpened pencil and designed to be undetectable without specialist equipment, were implanted on to the motherboards of servers on the production line in China, the report in Bloomberg Businessweek said.
Technology shares in Hong Kong fell sharply on Friday led by Lenovo, which lost 23% in morning trade. The Hong Kong-listed shares of Chinese telecommunications equipment maker ZTE Corp lost more than 14%.
The chips were reportedly developed by a specialised computer hardware attack unit in the People’s Liberation Army, and gave hackers unfettered access to anything the server did, allowing them to potentially manipulate the server to steal data, contact other servers and alter operations.
“Having a well-done, nation-state-level hardware implant surface would be like witnessing a unicorn jumping over a rainbow,” Joe Grand, a hardware hacker and the founder of Grand Idea Studio, told Bloomberg.
The allegedly compromised hardware, sold by Super Micro Computer, which is based in San Jose, California and described as “the Microsoft of the hardware world”, found its way into the data centres and operations of 30 companies, including Apple and Amazon as well as banks, hedge funds and government contractors, according to the report.
The attack was reportedly discovered in 2015 by the US intelligence services, as well as by Apple and Amazon as the companies purchased servers made by Super Micro Computer. The report claims Amazon became aware of the attack during movesby its subsidiary Amazon Web Services (AWS) to purchase streaming video compression firm Elemental Technologies in 2015. Apple had reportedly bought around 7,000 Super Micro servers when its security teams discovered the chips.
The report cited 17 unnamed intelligence and company sources as saying that Chinese spies had placed computer chips inside equipment used by around 30 companies, as well as multiple US government agencies, which would give Beijing secret access to internal networks.
Amazon, Apple and Super Micro have all denied Bloomberg’s report. Amazon said: “It’s untrue that AWSknew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental.”
AWS said: “As we shared with Bloomberg BusinessWeek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems.”
Apple said: “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
“We remain unaware of any such investigation,” said Super Micro.
Super Micro Computer engineers its equipment in San Jose, but, like the majority of electronics firms, it outsources manufacturing, including to contractors in China.
The Chinese government has also denied the report. A spokesperson said: “China is a resolute defender of cybersecurity. We hope parties make less gratuitous accusations and suspicions but conduct more constructive talk and collaboration so that we can work together in building a peaceful, safe, open, cooperative and orderly cyberspace.”
There have been increased concerns about foreign intelligence agencies infiltrating US and other companies via so-called “supply chain attacks”, particularly from China where multiple global tech firms outsource their manufacturing.
Associated Press contributed to this report