SuperMicro supply chain breach (since 2010)
|Date||First discovered in early 2010.|
|Suspected actor||According to Intel, APT 17 (also known as Sneaky Panda or Deputy Dog), a Chinese state-sponsored group, was behind the operation.|
|Target||Various government agencies and private sector organizations, including Apple, Amazon, Intel, and the US Department of Defense.|
|Target systems||Computers containing hardware made by Super Micro Computer Inc.|
|Method||SuperMicro’s motherboards reportedly featured an extra chip the size of a grain of rice, loaded with code that created a backdoor to the user’s servers.|
|Purpose||Possibly data exfiltration and cyber espionage.|
|Result||In 2018, Bloomberg estimated that there were 30 organizations that had suffered breaches but were unaware of that fact. The total number of organizations breached remains unknown.
In addition, military data was exfiltrated from the US Department of Defense.
|Aftermath||SuperMicro has denied the reports and any culpability. However, the company admitted in 2019 that it had suffered “unauthorized intrusions” into its network that began in 2011 and ceased in 2018. A security audit conducted by SuperMicro did not reveal the presence of any malicious chips. Nonetheless, the company moved its manufacturing out of China.
China has denied the allegations made against it, describing them as “attempts to discredit China and Chinese enterprises”.
Apple stopped using SuperMicro’s motherboards for “unrelated reasons”. By contrast, at least some US government agencies continued to purchase the company’s products, although reportedly for unclassified purposes.
|Analysed in||Scenario 02: Cyber espionage against government departments|
Collected by: Michaela Prucková
- J Robertson and M Riley, ‘The Long Hack: How China Exploited a U.S. Tech Supplier’ Bloomberg (12 February 2021)
- J Robertson and M Riley. ‘The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies’ Bloomberg (4 October 2018)
- SuperMicro, ‘Supermicro Statement on Bloomberg’s Claims’ (12 February 2021)
- SuperMicro, ‘Testing Finds No Malicious Hardware on Supermicro Motherboards’ (11 December 2018)
- S Moss, ‘Supermicro to move manufacturing out of China to quell the spy chip rumors it denies’ Data Centre Dynamics (7 May 2019)