Supermicro Backup Server Used by Hillary Clinton Highlights Security Risks of China Supply Chain

By Annie Wu, Epoch Times
March 22, 2019 Updated: April 2, 2019

A little-noticed detail in the FBI’s investigation files related to former U.S. Secretary of State Hillary Clinton’s email servers has highlighted the security risks inherent in today’s tech supply chain.

Clinton’s use of private email servers during her 2009–2013 tenure raised the question of whether classified information was improperly stored or transmitted.

President Donald Trump has previously suggested on Twitter that Clinton’s emails were accessed by China. Several media also have cited anonymous sources that have said China had access to her emails.

But the brand of the particular server Clinton used to back up her emails became a telling detail after Bloomberg’s explosive report published in October 2018 revealed that a malicious microchip was allegedly planted by Chinese spies into server motherboards manufactured in China.

In 2013, after Clinton left office, the IT service provider Clinton contracted to manage the email server, Platte River Networks (PRN), moved the server to a data center in Secaucus, New Jersey, called Equinix. There, PRN staff set up a backup system using Datto, a U.S. data backup company. Datto’s backup server took multiple snapshots a day of the main email server which were then deleted every 60 days.

That Datto server was in turn manufactured by Supermicro, according to FBI files.

Supermicro is the tech company at the center of Bloomberg’s story.

Twitter user @Joestradamus91 was among the first to notice and publicize this detail.

Citing anonymous U.S. officials and tech company insiders, the Bloomberg report claimed that a Chinese military unit designed malicious microchips with backdoor access, and was able to secretly implant them at Chinese factories that supplied Supermicro with motherboards. Those compromised motherboards were then built into servers assembled at Supermicro.

The U.S.-based company, founded by a Taiwanese businessman in 1993, is a popular vendor of choice among tech companies. It designs servers according to clients’ specifications, often offered at much cheaper prices than its competitors, according to Gary Miliefsky, a top cybersecurity expert and CEO of Cyber Defense Media Group. Most of Supermicro’s components are made in China.

Though Supermicro and its two clients mentioned in the Bloomberg article—Apple and Amazon—have all denied the allegations, cyber experts believe such attacks are plausible but difficult to trace and attribute to a culprit.

Yossi Appleboum, founder and CEO of cybersecurity firm Sepio Systems and a former Israeli intelligence officer, said in a previous interview with the Israeli edition of The Epoch Times that he had seen such hardware implants before, including in computer keyboards and printers.

“In most cases, hardware manufacturers leave hardware connectors open on the motherboard, which enable access either to the processors or internet connections. This situation is like paradise to the attackers,” Appleboum said.

In response to the Bloomberg report, Apple wrote a letter to Congress that said it hasn’t detected “outbound traffic” that could suggest malware or malicious activity.

But Miliefsky noted that seemingly benign traffic could be exploited. A hypothetical example: Traffic could be going to a website that sells Apple products, but that IP address could have been set up by an attacker to transfer data to China.

Another example of a hard-to-detect attack is if it were designed to be triggered at a specific time in the future.

Datto has had security flaws before, such as in November 2017 when it detected vulnerabilities that allowed remote access to data, though the company said at the time that no client device was reported to have been affected.

Datto did not respond to a request for comment.

It isn’t known whether or not Clinton’s Supermicro-manufactured Datto server had vulnerabilities that could have been exploited by Chinese entities; Supermicro didn’t respond to a request for comment. But Miliefsky said there is an inherent risk with using Chinese-manufactured products.

“Most hardware built in China now have a zero-day vulnerability,” Miliefsky said in a phone interview, referring to an existing flaw that could be exploited by attackers without the developers’ knowledge. By the time the developer notices the attack, the attackers have already done the damage.

“If there’s malicious hardware, it can take down an F-15 [stealth fighter jet] if they have a backdoor,” Miliefsky said.

Given the Chinese regime’s prolific cyberattacks, the fact that so much of today’s tech hardware is manufactured and developed in China is a major concern, Appleboum said.

Miliefsky said that to ensure the safety of data, U.S. businesses and consumers should audit where critical tech components are made and what is in their codes.

“Supply chain management is one of the biggest topics in cybersecurity right now,” he said.

Follow Annie on Twitter: @annieeenyc