Hacked Supermicro system at US telecom firm: Report
An unnamed U.S. telecommunications giant discovered evidence of “manipulated hardware” supplied by Supemicro and removed the compromised device from its network, according to a Bloomberg report Tuesday, days after the company rejected a report that Chinese agents had compromised its devices.
Yossi Appleboum, a cybersecurity expert and co-CEO of Sepio Systems, purportedly provided evidence to Bloomberg that the unnamed company discovered an “implant” on a Supermicro server’s Ethernet connector. The device was inspected after experts detected “unusual communications” originating from the server.
"The security of our customers and the integrity of our products are core to our business and our company values,” Supermicro said in a statement. “We take care to secure the integrity of our products throughout the manufacturing process and follow rigorous industry quality and security standards. With respect to the recent media reports, we have seen no evidence of any unauthorized components in our products, no government agency has informed us that they have found unauthorized components on our boards, and no customer has reported finding any such unauthorized components.”
It is unclear which U.S. telecommunications company was purportedly affected – Bloomberg declined to reveal the company because Appleboum has an active nondisclosure agreement.
The new report came just days after Bloomberg Businessweek reported that Chinese agents had succeeded in placing computer chips in devices that allowed them to spy on several prominent companies, including Apple and Amazon. The data centers of roughly 30 U.S. companies, as well as some U.S. government contractors, were said to have been affected.
The report, which cited 17 unnamed sources in the intelligence community and within the impacted companies, was met with strong denials. Apple and Amazon said they had found no evidence to corroborate the report.
The United Kingdom’s cybersecurity agency and the U.S. Department of Homeland Security also expressed skepticism about the initial report.
“The Department of Homeland Security is aware of the media reports of a technology supply chain compromise,” the Department of Homeland Security said. “Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story.”