For much of this year, China has been the tech sector's great wild card.
Tech companies with strong growth prospects and little or no Chinese exposure have mostly had a pretty good year. On the flip side, the shares of many Chinese tech firms that are still reporting healthy top-line growth have slumped in 2018. And so have those of many U.S. chip industry firms for whom worries about tariffs and/or stalled M&A reviews have put investors on edge.
Bloomberg's bombshell report published on Thursday morning about attempts by the Chinese military to insert spying chips on server motherboards ultimately used by many U.S. companies and government agencies provides the tech sector with a fresh dose of China-related uncertainty. At the same time, given the massive role that China currently plays in the global electronics supply chain, it's likely that the U.S. will try hard to limit the short-term economic disruption caused by any response to the story.
According to Bloomberg's sources, Chinese Army operatives used plants run by manufacturing subcontractors working for San Jose-based Super Micro (SMCI) to insert miniscule chips onto server motherboards that could instruct the server's operating system to communicate with, and accept code from, a remote, anonymous computer. A compromised server "could let the attackers alter how the device functioned, line by line, however they wanted, leaving no one the wiser."
The news service adds that back in 2015, a security company hired by Amazon.com (AMZN - Get Report) uncovered the spying chips on servers belonging to Elemental Technologies, a video-encoding software firm it was in the process of acquiring for the purpose of strengthening Amazon Web Services (AWS). At the time, Elemental's clients including large media companies as well as the CIA and the Department of Defense. Amazon, according to Bloomberg, reported the security firm's findings to U.S. authorities.
Separately, citing "three senior insiders at Apple (AAPL - Get Report) ," Bloomberg says that Apple also "found malicious chips on [Super Micro] motherboards" in 2015. The company is said to have been running about 7,000 Super Micro servers inside its data centers when the chips were found, and reportedly removed all of them within weeks of the discovery.
Super Micro's stock, which had been de-listed from the Nasdaq earlier this year, is down over 40% in the wake of Bloomberg's report. And the Nasdaq is down 2.2% amid a 1.2% drop for the S&P 500 that appears to be driven by worries about rising interest rates.
Notably, Amazon and Apple have each issued responses in which they refute parts of Bloomberg's story. Amazon says it has "found no evidence to support claims of malicious chips or hardware modifications" on Elemental servers within its records. The company does say that it found four issues at the time of the Elemental deal with a web application that Super Micro provides for managing its motherboards, but insists they were fully addressed before the deal closed.
In a blog post, AWS security chief Stephen Schmidt wrote that "there are so many inaccuracies in [Bloomberg's] article as it relates to Amazon that they're hard to count." He claims no issues were found with modified chips or hardware on Elemental's servers, and also insisted -- in response to Bloomberg's assertion that malicious chips were also found on servers inside of Chinese AWS data centers -- his company has "never found modified hardware or malicious chips in servers in any of our data centers."
For its part, Apple says that it "has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server," and that (contrary to Bloomberg's report) it has never been in contact with the FBI or another agency about such an incident. "Our best guess is that [Bloomberg is] confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs," the company added in an e-mailed statement to Bloomberg.
Given how strong and unequivocal Amazon and Apple's denials are, it's entirely possible that some of the claims made by Bloomberg's sources about the companies' actions and discoveries are off. However, given the number of sources Bloomberg has, where these sources are said to be working and how detailed their allegations are, there are good reasons to think that a sophisticated hacking attempt involving malicious chips occurred, even if some of the specifics are up for debate.
Bloomberg says that in addition to the Apple insiders, it talked to "six current and former senior national security officials, who in conversations that began during the Obama administration and continued under the Trump administration, detailed the discovery of the chips and the [U.S.] government's investigation." It adds that in total, "17 people confirmed the manipulation of [Super Micro's] hardware and other elements of the attacks."
The report also features plenty of technical details about things such as where and how the chips were inserted, how the chips could be used to modify a server's operating system and how they could alter the instructions given to a CPU. The U.S. government's efforts to trace the insertion of the chips to four subcontracting factories working for Super Micro are also detailed.
Assuming that such a hacking effort was carried out at some scale, there's bound to be some fallout. However, considering that China is responsible a very large percentage of the world's manufacturing of everything from servers to PCs to mobile phones to IoT devices, any call to no longer rely on China for the production of any goods that could be used to leak sensitive data following a hardware hack seems pretty unlikely.
On the other hand, there will most likely be a push to have U.S. companies more closely scan and vet any such hardware that's manufactured in China. And one could imagine the U.S. government insisting that going forward, any hardware it uses that might store or access sensitive data is made in either the U.S. or a nation that's a military ally. Some large enterprises -- particularly ones that count government agencies as major clients -- could also try to curb their use of Chinese-made servers.
If U.S. government agencies and enterprises made such moves, it could benefit contract manufacturers with significant non-Chinese operations, such as Flex (FLEX - Get Report) and Jabil (JBL - Get Report) . But for now, that's just speculation.
More details about the hacking attempt, and of the U.S. government's investigation of it, should arrive in the coming weeks. For the time being, it provides tech investors with one more China-related unknown to mull.
Make Money on Closed-End Mutual Funds. TheStreet's Robert Powell recently hosted an all-star panel of experts who explained everything you need to know on closed-end mutual funds, an often-overlooked investment class. Click here to register and watch for free.