Bloomberg reporters are persistent. Two and a half years ago, this media accused China of integrating cyber espionage chips the size of a small grain of rice in the motherboards of Supermicro, an American computer manufacturer. This investigation, largely based on anonymous testimony, has not been confirmed by any stakeholder, be it the manufacturer, customers or government agencies.
Bloomberg has now put the cover back and claims that China has indeed built backdoors into motherboards, not only of Supermicro servers, but also of Lenovo laptops. This time around, journalists are racking up testimonies from more than 50 people, from the private sector, government agencies, the US parliament, defense and law enforcement, most of them anonymously, but not all.
In 2008, the US military would have found itself with a “Large number of Lenovo laptops” whose cards incorporated a chip “Which records all the data that goes into the laptop and transfers it to China”. In 2010, the Pentagon would then have detected backdoors on thousands of Supermicro servers. They would have transferred to China technical data on the host machine and the network to which the machine was connected. They would thus have succeeded in mapping part of the unclassified network of the Department of Defense.
These backdoors are said to be the work of Chinese intelligence agencies, who have hidden them in the BIOS of Supermicro motherboards, with the help of one or more of the manufacturer’s employees. In 2014, FBI investigators would then have come across a second category of backdoors integrated on Supermicro’s motherboards, the famous chips Bloomberg had spoken of in 2018. The government would have kept all these discoveries a secret so as not to alert the China and be able to analyze in depth their espionage capacities.
Supermicro, for its part, rejects all these allegations en bloc.
“The Bloomberg article is a mishmash of disparate and inaccurate allegations dating back many years. It draws far-fetched conclusions that, again, do not stand up to scrutiny. In fact, the National Security Agency again told Bloomberg last month that it was maintaining its 2018 comments and the agency said of Bloomberg’s new claims that it “cannot confirm that this incident – or the subsequent response actions described – never happened. ” Despite Bloomberg’s allegations of alleged cybersecurity or national security investigations going back more than 10 years, Supermicro has never been contacted by the US government, or any of our partners or customers, regarding these alleged investigations ”, can we read in a press release.
On the government side, Bloomberg has not obtained confirmation either. The various administrations questioned either made no comment or replied in a very general manner.