That’s according to a report from Bloomberg which details how the Chinese government infiltrated a number of U.S. companies by sneaking tiny chips onto motherboards from Supermicro. They then became part of servers deployed by the companies giving remote operatives potential access to data. It’s a huge story that includes a comparatively small but important passage shedding light on Amazon’s China deal last November — the U.S. firm sold the physical server business to local partner Beijing Sinnet for 2 billion yuan, or around $300 million.
That transaction initially sparked reports that AWS would exit China, but Amazon later clarified it planned to continue to operate its cloud services in China. Selling the physical server business, it said, was down to the fact that “Chinese law forbids non-Chinese companies from owning or operating certain technology for the provision of cloud services.”
While it is correct that China did introduce cybersecurity laws that placed restrictions on overseas firms and appeared to give the government unprecedented access to data, the Bloomberg report claims that Amazon’s China-based servers were in fact offloaded because they were plagued with compromised servers.
A notable exception was AWS’s data centers inside China, which were filled with Supermicro-built servers, according to two people with knowledge of AWS’s operations there. Mindful of the Elemental findings, Amazon’s security team conducted its own investigation into AWS’s Beijing facilities and found altered motherboards there as well, including more sophisticated designs than they’d previously encountered. In one case, the malicious chips were thin enough that they’d been embedded between the layers of fiberglass onto which the other components were attached, according to one person who saw pictures of the chips. That generation of chips was smaller than a sharpened pencil tip, the person says.
One source at Amazon described the deal to Bloomberg as a decision to “hack off the diseased limb.”
Amazon refuted the claims, as did other U.S. companies named in the report as well as the Chinese government itself.
“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware,” Amazon told Bloomberg in a statement.
The company added more in another statement on its website, calling the Bloomberg claim “absurd”:
“This notion that we sold off the hardware and datacenter in China to our partner Sinnet because we wanted to rid ourselves of SuperMicro servers is absurd. Sinnet had been running these data centers since we launched in China, they owned these data centers from the start, and the hardware we “sold” to them was a transfer-of-assets agreement mandated by new China regulations for non-Chinese cloud providers to continue to operate in China,” wrote AWS chief information security officer Stephen Schmidt.