A major US telecom company found manipulated hardware on its network and removed it in August, according at report by Bloomberg on Tuesday.
An “implant” built into the Ethernet connector on a Supermicro server was discovered during an inspection of the telecommunications company’s data centers, according to the report. The report said the manipulated hardware was discovered after “unusual communications” from the Supermicro server prompted a physical inspection.
The chip was reportedly uncovered by security expert Yossi Appleboum, who was hired by the telecommunications company. Appleboum provided documents, analysis and other evidence of the manipulated hardware, according to Bloomberg, which didn’t publish the documents with the article.
The Bloomberg story doesn’t identify the telecommunications company “due to Appleboum’s nondisclosure agreement with the client.”
Appleboum didn’t immediately respond to a request for comment.
CNET reached out to major US telecommunications companies for comment on the report. T-Mobile, Sprint, AT&T said they weren’t the company described in the Bloomberg story. Verizon didn’t respond to a request for comment but is quoted by Bloomberg as saying, “We’re not affected.”
The report of the compromised server follows a Bloomberg investigation last week that said Chinese surveillance microchips had been inserted into Supermicro hardware used at Apple and Amazon data centers in order to gather intellectual property and trade secrets. Both Apple and Amazon strongly disputed the report, which cited anonymous government and corporate sources.
On Monday, Apple sent a letter to Congress reiterating its denial of Bloomberg’s report, saying it “has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
The hacked hardware found on the telecom company’s server is further evidence of “tampering in China of critical technology components bound for the US,” according to Bloomberg.
Supermicro, which denied the earlier report, didn’t immediately respond to a request for comment, but said in a statement to Bloomberg it had no knowledge of any unauthorized components in its hardware. The company’s full name is Super Micro Computer, but it is commonly referred to as Supermicro.
“We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry,” Supermicro is quoted as saying. “We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found.”
Yossi told Bloomberg he’s seen similar manipulations in other vendors’ hardware made by contractors in China. He also told Bloomberg there are countless points in the supply chain in China where hacked hardware can be introduced.