SuperMicro supply chain breach (since 2010)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date First discovered in early 2010.[1]
Suspected actor According to Intel, APT 17 (also known as Sneaky Panda or Deputy Dog), a Chinese state-sponsored group, was behind the operation.[1]
Target Various government agencies and private sector organizations, including Apple, Amazon, Intel, and the US Department of Defense.[1]
Target systems Computers containing hardware made by Super Micro Computer Inc.[1]
Method SuperMicro’s motherboards reportedly featured an extra chip the size of a grain of rice,[2] loaded with code that created a backdoor to the user’s servers.[1]
Purpose Possibly data exfiltration and cyber espionage.[1]
Result In 2018, Bloomberg estimated that there were 30 organizations that had suffered breaches but were unaware of that fact.[2] The total number of organizations breached remains unknown.

In addition, military data was exfiltrated from the US Department of Defense.[1]

Aftermath SuperMicro has denied the reports and any culpability.[3] However, the company admitted in 2019 that it had suffered “unauthorized intrusions” into its network that began in 2011 and ceased in 2018.[1] A security audit conducted by SuperMicro did not reveal the presence of any malicious chips.[4] Nonetheless, the company moved its manufacturing out of China.[5]

China has denied the allegations made against it, describing them as “attempts to discredit China and Chinese enterprises”.[1]

Apple stopped using SuperMicro’s motherboards for “unrelated reasons”.[2] By contrast, at least some US government agencies continued to purchase the company’s products, although reportedly for unclassified purposes.[1]

Analysed in Scenario 02: Cyber espionage against government departments

Scenario 09: Economic cyber espionage

Collected by: Michaela Prucková