SuperMicro supply chain breach (since 2010)

Date	First discovered in early 2010.^[1]
Suspected actor	According to Intel, APT 17 (also known as Sneaky Panda or Deputy Dog), a Chinese state-sponsored group, was behind the operation.^[1]
Target	Various government agencies and private sector organizations, including Apple, Amazon, Intel, and the US Department of Defense.^[1]
Target systems	Computers containing hardware made by Super Micro Computer Inc.^[1]
Method	SuperMicro’s motherboards reportedly featured an extra chip the size of a grain of rice,^[2] loaded with code that created a backdoor to the user’s servers.^[1]
Purpose	Possibly data exfiltration and cyber espionage.^[1]
Result	In 2018, Bloomberg estimated that there were 30 organizations that had suffered breaches but were unaware of that fact.^[2] The total number of organizations breached remains unknown. In addition, military data was exfiltrated from the US Department of Defense.^[1]
Aftermath	SuperMicro has denied the reports and any culpability.^[3] However, the company admitted in 2019 that it had suffered “unauthorized intrusions” into its network that began in 2011 and ceased in 2018.^[1] A security audit conducted by SuperMicro did not reveal the presence of any malicious chips.^[4] Nonetheless, the company moved its manufacturing out of China.^[5] China has denied the allegations made against it, describing them as “attempts to discredit China and Chinese enterprises”.^[1] Apple stopped using SuperMicro’s motherboards for “unrelated reasons”.^[2] By contrast, at least some US government agencies continued to purchase the company’s products, although reportedly for unclassified purposes.^[1]
Analysed in	Scenario 02: Cyber espionage against government departments Scenario 09: Economic cyber espionage

Collected by: Michaela Prucková

↑ ^1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 ^1.6 ^1.7 ^1.8 ^1.9 J Robertson and M Riley, ‘The Long Hack: How China Exploited a U.S. Tech Supplier’ Bloomberg (12 February 2021)
↑ ^2.0 ^2.1 ^2.2 J Robertson and M Riley. ‘The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies’ Bloomberg (4 October 2018)
↑ SuperMicro, ‘Supermicro Statement on Bloomberg’s Claims’ (12 February 2021)
↑ SuperMicro, ‘Testing Finds No Malicious Hardware on Supermicro Motherboards’ (11 December 2018)
↑ S Moss, ‘Supermicro to move manufacturing out of China to quell the spy chip rumors it denies’ Data Centre Dynamics (7 May 2019)

[:1-1] 1.0 ^1.1 ^1.2 ^1.3 ^1.4 ^1.5 ^1.6 ^1.7 ^1.8 ^1.9 J Robertson and M Riley, ‘The Long Hack: How China Exploited a U.S. Tech Supplier’ Bloomberg (12 February 2021)

[:2-2] 2.0 ^2.1 ^2.2 J Robertson and M Riley. ‘The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies’ Bloomberg (4 October 2018)

[3] SuperMicro, ‘Supermicro Statement on Bloomberg’s Claims’ (12 February 2021)

[4] SuperMicro, ‘Testing Finds No Malicious Hardware on Supermicro Motherboards’ (11 December 2018)

[5] S Moss, ‘Supermicro to move manufacturing out of China to quell the spy chip rumors it denies’ Data Centre Dynamics (7 May 2019)

[1]

[2]

[3]

[4]

[5]

SuperMicro supply chain breach (since 2010)

Navigation menu

Search