Investigation by an outside firm found no evidence that motherboards sold by Super Micro Computer had rogue chips planted during assembly to give hackers backdoors into Supermicro customers’ networks.
Supermicro, a San Jose, California-based IT hardware and components vendor, announced the investigation’s conclusion in a letter to customers posted on its website Tuesday. A spokesperson for Nardello & Co., the company that conducted the investigation, confirmed the conclusion in an email to Data Center Knowledge.
Nardello can “confirm Supermicro’s statement that the investigation found no evidence of malicious hardware on the company’s motherboards,” Kelsey Markovich, a spokesperson for the New York-based investigation services firm, wrote.
Another source familiar with the inquiry who wished to remain anonymous confirmed that Nardello, whose name Supermicro did not mention in its letter, was the third party that conducted the investigation.
The announcement adds Nardello to the growing list of voices challenging the Bloomberg BusinessWeek report that alleged that Chinese military agents had coerced Supermicro’s contract manufacturers in China into letting them plant tiny processors in Supermicro products that could give Chinese spies broad access to corporate and government networks.
Other voices on that list include top management from Apple and Amazon Web Services – Bloomberg’s story, which came out in October, named them both as victims of the alleged security breach – numerous senior US and UK intelligence officials, and Supermicro itself, which saw 40 percent of its stock price evaporate immediately after the report was published. It has since regained half of the share value lost in the initial drop.
Bloomberg has stood by the story, saying it was based on more than a year’s worth of reporting, including more than 100 interviews. Seventeen sources, including current and former Apple and Amazon insiders and US government officials, “confirmed the manipulation of Supermicro’s hardware,” the news service said. “The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information.”
Apple and AWS were among nearly 30 US companies whose data centers may have been compromised by malicious chips planted on Supermicro motherboards, the report said. It did not name any of the other companies.
The third-party investigators tested “a representative sample of our motherboards,” the Supermicro letter, signed by the vendor’s president and CEO Charles Liang and its chief compliance officer David Weigand, read. The sample included the specific type of motherboards described in the Bloomberg article, motherboards bought by “companies referenced in the article,” and newer motherboards.