Supermicro: Still 'No Evidence' Of China Hack Amid New Report


Supermicro says it still hasn't found or received any information to corroborate reports that Chinese spies inserted a malicious microchip into its servers, in the wake of a second report from Bloomberg on the matter.

Bloomberg reported Tuesday that a "major U.S. telecommunications company," which is not identified by name, discovered and removed a compromised Supermicro server in August. The report follows last week's Bloomberg Businessweek story that claimed infiltration of Supermicro servers, used by the likes of Amazon Web Services and Apple, by Chinese intelligence services looking to steal sensitive data. Supermicro, Apple and AWS have repeatedly denied the accuracy of the report.

[Related: Apple Sends Letter To Congress Denying China Hack]

The new Bloomberg report cites findings by Yossi Appleboum, co-CEO of Sepio Systems, a Gaithersburg, Md.-based cybersecurity vendor focused on protecting against hardware attacks. Appleboum reportedly discovered a malicious implant in the telecom firm's data centers, which was found to have "unusual communications." He also told Bloomberg that he's seen similar phenomenon in other Chinese-manufactured computer hardware. Sepio Systems did not immediately respond to a request for comment.

Sponsored post

In a statement provided to CRN Tuesday, San Jose, Calif.-based Supermicro maintained its previous position on the Bloomberg claims.

"With respect to the recent media reports, we have seen no evidence of any unauthorized components in our products, no government agency has informed us that they have found unauthorized components on our boards, and no customer has reported finding any such unauthorized components," Supermicro said in its statement.

Supermicro's stock price dropped 15.5 percent, closing at $12.46, on Tuesday. That's down from $21.40 on Oct. 3, the day before Bloomberg's initial report on the matter came out.

In a statement provided to CRN, a Verizon Communications spokesman stated that "Verizon's network is not affected" by the issues described in the Bloomberg article. An AT&T spokesman likewise told CRN, “These devices are not a part of our network, and we are not affected.”

A Sprint spokeswoman said in a statement to CRN that "Sprint does not have Supermicro equipment deployed in our network." T-Mobile did not immediately respond to a request for comment.

This past weekend, Apple wrote a letter to Congressional committees arguing that the Bloomberg reporting has been inaccurate, while the U.S. Department of Homeland Security released a statement showing support for the rebuttals issued by Apple and AWS.

Bloomberg's article on Tuesday, however, suggests that the Department of Homeland Security may not be privy to the details of the purported Chinese hack.

"People familiar with the federal investigation into the 2014-2015 attacks say that it is being led by the FBI's cyber and counterintelligence teams, and that DHS may not have been involved. Counterintelligence investigations are among the FBI's most closely held and few officials and agencies outside of those units are briefed on the existence of those investigations," the Bloomberg article said.

The FBI declined to comment in an email to CRN on Tuesday.