AWS Categorically Denies Bloomberg Report Citing Elemental / Super Micro Security Issue

Josh Stinehour | October 5, 2018

Stephen Schmidt, Chief Information Security Officer for AWS, published a blog post yesterday categorically refuting a Bloomberg article claiming Supermicro motherboards used by Elemental Technologies had been modified by the Chinese army to include a malicious chip for the purpose of espionage.  (I never imagined I would write the previous sentence or anything like it).

Given Amazon’s statement includes an identified senior executive, cites facts, and leaves absolutely no ambiguity on the Company’s position, I will lead with its statement:

Mr. Schmidt writes,

“As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Supermicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government. There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count.”

Apple is also mentioned in the Bloomberg article and similarly issued an on-the-record press release refuting all aspects of the article.  Again, Apple provides Company contacts, reviews the historical events, and issues an unambiguous denial of the claims in the article.  “The October 8, 2018 issue of Bloomberg Businessweek incorrectly reports that Apple found ‘malicious chips’ in servers on its network in 2015. As Apple has repeatedly explained to Bloomberg reporters and editors over the past 12 months, there is no truth to these claims” states the Apple press release.

Joining the statements of Amazon and Apple is Supermicro itself, which “strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems.” The press release by the San Jose, CA based Supermicro also makes a point of admonishing that “The manufacture of motherboards in China is not unique to Supermicro and is a standard industry practice.”

In the ‘Manufacturing and Quality Control’ section of its annual report, Supermicro has the following entry,

“Assembly, test and quality control of our servers are performed at our manufacturing facilities in San Jose, California, the Netherlands and Taiwan. Each of our facilities has been certified by Quality / Environmental Management System or, Q/ EMS, according to ISO 9001 and ISO 14001 standards. Our suppliers and contract manufacturers are required to support the same standards in order to maintain consistent product and service quality and continuous improvement of quality and environmental performances”

Returning to the Bloomberg Article, it is important to start by stating the information reported is based entirely on unnamed sources.  The narrative of the story begins with AWS’s 2015 acquisition of Portland Oregon based Elemental Technologies.  The position of the article is during the diligence of the transaction, AWS discovered a security issue with the Supermicro servers Elemental bundled with its software for video processing and compression.

More specific, AWS is reported to have discovered a tiny microchip embedded onto the Supermicro motherboard by a Chinese subcontractor to Supermicro.  AWS is then reported to have informed the US authorities, who subsequently opened a top-secret (Bloomberg’s word) investigation that remains open.  Bloomberg further reports this investigation determined the chips allowed attackers to gain access to networks where the systems were deployed, and that the culprit was the Chinese military.

On-the-record denials from Apple, Amazon, and Supermicro are included in the report along with a broader denial by the Chinese government on supply chain manipulation.  Bloomberg’s source for the article is six unidentified current and former national security officials.  Elemental’s part in the report is sourced from one of those aforementioned six and two unidentified sources working at Amazon.  Other unnamed and unidentified sources are cited from Apple.  The total unnamed contributors to the Bloomberg article is indicated at 17.

I encourage you to read the article for yourself as well as the firm, categorical denials by the named companies.

Initial Consequences of the Allegations

Allegiances of security vulnerable have consequences, especially considering almost two-thirds of Supermicro’s annual sales come from the United States (based on geographic revenue split from 2016 annual report). Supermicro’s stock price closed (over-the-counter market) the Wednesday trading session at $21.40.  As of noon US ET time, it was trading at $10.87 an almost 50% decline.  Supermicro has been unable to file financial statements owing to accounting issues since the quarter ending March 31, 2017.  This now covers two annual reporting periods.  Inability to file reports led to a delisting from the NASDAQ in late August 2018.

The preliminary financial information published by Supermicro in late August indicated revenues for the quarter ending June 30, 2018 were between $986 and $996 million with GAAP earnings of between $0.51 and $0.55 per share.  The mid-point of the revenue guidance would represent a 38% year-over-year increase versus the comparable period ending June 30, 2017.  Cash was $94.1 million at the end of the quarter, compared to bank debt of $116.2 million.



Related Content:

Bloomberg Article: The Big Hack

AWS Blog Post: Setting the Record Straight

SuperMicro Press Release Refuting Bloomberg Article

Apple Press Release: What Businessweek got wrong about Apple


© Devoncroft Partners 2009-2018.  All Rights Reserved.