.15(1)- DEF 8.16(2)(¢) TS//SI//CEO. Supply Chain Integrity Assessment — Super Micro Computer COMPANY OVERVIEW (U) RECORD OF AMENDMENTS No. | Amendment ‘Amendment Date Entered By 001 | Creation of assessment report 002 | Changing of 2020.01 07 (U) Super Micro Computer inc. (SMCI) is a publicly-traded information technology (IT) company and the leading innovator of high-performance, high-efficiency server/storage solutions for Data Center, Cloud, Enterprise IT, Big Data, HPC and Embedded/Internet of Things (IoT) clients worldwide. The company produces data center solutions ranging from complete server, storage, blade and workstations to racks, networking devices, server management software, and technology support and services. Co-founded in 1993 by Charles Liang, Yih-Shyan (Wally) Liaw and Chiu-Chu (Sara) Liu Liang, SMCI is headquartered in the United States (US), with subsidiaries worldwide. (U) SMCs products and services are marketed under the trademark brands of SuperServer, FatTwin, TwinPro, SuperBlade, Double-Sided Storage, BBP, SuperRack, Building Block, Solutions and We Keep IT Green, (U) SMCI uses several third-party suppliers and contract manufacturers for materials and sub-assemblies, such as serverboards, chassis, disk drives, power supplies, fans and computer processors. The company believes that selectively Using outsourced manufacturing services allows it to focus on its core competencies in product design and development ‘as well as increase its operational flexibility. Ablecom, a privately-held Taiwan-based and chassis supplier, together with ‘one of its subsidiaries, Compuware (collectively Ablecom) is SMCI primary contract manufacturer. Ablecom is also used to warehouse a number of components and subassemblies manufactured by multiple suppliers. (U) SMCI has manufacturing facilities in Taiwan, the Netherlands, and the US which perform assembly, test and quality control of SMCI’s servers. These manufacturing facilities are primarily to support the company’s Asian and European markets. (U) In May 2012, SMCI and Ablecom jointly established SCMI’s Science and Technology Park in Taiwan to manage the ‘common areas shared by both companies’ separately constructed manufacturing facilities. Each company contributed yr ticle eer ieee atte baer eres (ert sETeET ee eerie nee ee eet aod '8-2020-00003-000018.15(1)- DEF 5.1501) -14, s.16(2\) TS//SI//CEO. USD$168,000 and own 50 percent of the Management Company. (U) Majority of the company’s research and development (R&D) efforts is conducted in-house at the company’s headquarters in the US. (P8) Based on the research for this part of the assessment, COMPANY EXECUTIVES AND BOARD OF DIRECTORS (U) SMCl is headed by Charles Liang, Founder, Chairman, President and CEO since 1993. Prior to SMCI, Liang served in roles at Micro Center Computer Inc., Suntek Information international Group and Chips and Technologies inc. Other ‘executives include: Chiu-Chu (Sara) Liu Liang, Founder, Treasurer, Director and Senior Vice President of Operations since 1993; Kevin S. Bauer, Chief Financial Officer (CFO) and Senior Vice President since 2018 previously serving as Senior Vice President of Corporate Development and Strategy since joining the company in 2017. Prior to SMCI, Bauer served in roles at Exar Corporation, Pericom Semiconductor Corporation and WaferTech LU George Kao, Senior Vice President of Operations since 2018, previously serving in a variety of positions since joining the company in 2016. Prior to SMCI, Kao served in roles at Pericom Semiconductor Corporation, Orient Semiconductor Electronics Philippines, Foveon, and National Semiconductor. Kao is also a member of the Board of Directors at Orient Semiconductor Electronics Philippines; Yih-Shyan (Wally) Liaw, Founder and Senior Vice President of International Sales since 2014 and Corporate Secretary and Director since 1993. Prior to SMCI, Liaw served in roles at Great Tek; Tau Leng, Senior Vice President of Technology. Tau is also a member of the Board of Directors at Storage Networking Industry Association; and David Weigand, Senior Vice President and Chief Compliance Officer (CCO) since 2018. Prior to joining SMC!, Weigand served in roles at Hewlett Packard Enterprise (HPE), Silicon Graphics International Inc., Renesas Electronics America, and NEC Electronics America (NEC Corporation subsidiary). (U) Board of Directors include: Hwel-Ming Tsai, Independent Director. Hwel-Ming is also a member of the Board of Directors at ANZ Bank (Taiwan) Ltd. Hwei-Ming previously served in roles at SinoPac Bancorp and Far East National Bank; Sherman Tuan, Independent Director since 2007. Tuan is Founder, Chairman, and CEO at PurpleComm Inc., CEO at Purple Communications Ltd., ad Advisor at BrainStorm Ventures International LLC and Co-Founder at AboveNet Communications Inc.; Laura A. Black, Independent Director since 2012. Black is also a member of the Board of Director at Viavi Solutions Inc.; Michael S. McAndrews, Independent Director since 2015. McAndrews is also a member of the Board of Directors at Uplift Family Services and Principal Stringham and Lynch An Accountancy Corporation; For any inquiry on CSE’s methodology or for additional advice, guidance and support please contact @ese-cst.ge.ca ‘8-2020-00003-000028.15(1) -DEF s.15(1)-1A s.16(2)(€) TS//SI//CEO. * Saria Tseng, Director since 2016. Tseng is Secretary and Vice President of Strategy Corporation Development at Monolithic Power Systems Inc. Tseng is also a member of the New York State Bar Association, the State Bar of California and the China Bar Association; and © Tally C. Liu, Director since 2019. (PB) Based on the research for this assessment, (P8) Based on the research for this assessment, the foreign entity ‘CYBERSECURITY ISSUES (U) In October 2018, two unconfirmed Bloomberg articles surfaced claiming that Chinese spies had infiltrated SMCI’s factories and inserted tiny implants into the Ethernet connectors in their motherboards, many of which ended up at For any inquiry on CSE’s methodology or for additional advice, guidance and support please contact. @cse-cst.ge.ca ‘8-2020-00003-00003,'5.18(1) - DEF 5.15(0)-18, .16(2\0) TS//SI//CEO. ‘Apple and Amazon. The implants were purported to have been first discovered by a major US telecom but the claim has been unsubstantiated. (Ref: https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used- a-tiny-chip-to-infiltrate-america-s-top-companies) For any inquiry on CSE’s methodology or for additional advice, guidance and support please contact @ese-cst.ge.ca '4-2020-00003-000048.15(1)- DEF 5.45(1)-14, TOP SECRET/ CANADIAN EYES ONLY October-12-18 9:18 AM updates: 1-12 October 2018 Classification: TOP SECRET/SI/CANADIAN EYES ONLY 1-12 October 2018 - updates Available in space TOP SECRET//SI//CANADIAN EYES ONLY 1 '8-2020-00003-00005,5.48(1)- DEF 5.48(1)-14, TOP SECRET/ISI/CANADIAN EYES ONLY New Evidence of Hacked Supermicro Hardware Found in U.S. Telecom - A major U.S. telecommunications company discovered manipulated hardware from Super Micro Computer Inc. in its network and removed it in ‘August, fresh evidence of tampering in China of critical technology components bound for the U.S., according to a security expert working for the telecom company. Supermicro, based in San Jose, California, gave this, statement: “The security of our customers and the integrity of our products are core to our business and our company values. We take care to secure the integrity of our products throughout the manufacturing process, and supply chain security is an important topic of discussion for our industry. We still have no knowledge of any unauthorized components and have not been informed by any customer that such components have been found. We are dismayed that Bloomberg would give us only limited information, no documentation, and half a day to respond to these new allegations.” China's embassy in Washington did not return a request for comment Monday. in response to the earlier Bloomberg Businessweek investigation, China’s Ministry of Foreign Affairs didn’t directly address questions about the manipulation of Supermicro servers but said supply chain security is “an issue of common concern, and China is also a victim.” The more recent manipulation is different from the one described in the Bloomberg Businessweek report last week, but it shares key characteristics: They're both designed to give attackers invisible access to data on a computer network in which the server is installed; and the alterations were found to have been made at the factory as the motherboard was being produced by a Supermicro subcontractor in China. (bloomberg.com ~ 9 October 2018) ‘6-2020-00003-00008 TOP SI CRET/SI//CANADIAN EY!‘8.45(1) -DEF 5.48(1)-14, TOP SECRET/ISW/CANADIAN ES ONLY + The Big Hack: How China Used a Tiny Chip to infiltrate U.S. Companies -The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources. In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video. To help with due diligence, ‘Amazon Web Services (AWS), which was overseeing the prospective acquisition, hired a third-party company to scrutinize Elemental’s security. The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression. These servers were assembled for Elemental by Super Micro Computer Inc. In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company to test, the person says. Nested on the servers’ motherboards, the testers found a tiny microchip, that wasn't part of the boards’ original design. Amazon reported the discovery to U.S. authorities. Elemental’s servers could be found in Department of Defense data centers, the CIA's drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers. During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered machines. Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China (bloomberg.com — 4 October 2018) TOP SI CRET/SI//CANADIAN EY! ‘4-2020-00003~-00007'8:15(1) - DEF '5.15(1)-14, TOP SECRETI/ISI//CANADIAN EYES ONLY TOP SECRET//SI//CANADIAN EYES ONLY 4 '8-2020-00003-00008'5.15(1) - DEF 5.48(1)-1A, TOP SECRETI/ISI//CANADIAN EYES ONLY TOP SECRET//SI//CANADIAN EYES ONLY 5 '8-2020-00003-00009,Pages 10 to/a11 are withheld pursuant to sections sont retenues en vertu des articles 15(1) - DEF, 15(1) - 1A of the Access to Information de la Loi sur l'accés a l'information'5.18(1) - DEF '5.15(1) <1, 5.16(2\) Request# Supermicro Network Cards Mar 05, 2019 13:39 Roquest Details (U) This actvty was conducted under the Memorandum of Understanding (MoU) between Shared Services Canal (SSC) and the ‘Communications Secunly Estabishment (CSE). The resus ofthis assessment ae based on information provided fo CSE ae well asthe requirements qutined in the governing MOU and solely address the requemenis dented in tis request, This assessment provides Context specific advice and guidance fo mitigate the specific threats related to the products and services under consideration for Procurement. CSE does not provide general assessments about companies, nor make statements to other GC departments or non-GC tenis dictating procurement decisions (8) ooking to purchase Network Cards from Supermicro. ASSESSMENT wre ‘assessment for this company was competed on 2018-11-21, 68942170 (U) The county of origins determined o be the US. (8) Based on the research for his assessment the vendorisuppler (8) Based on the research for this assessment, the vendorisuppler (PB) Based on the researc for this assessment the vendorisupplier ‘ASSESSMENT (U) The AOC-$40G.120 is an advanced 40Gb Ethernet contol. It extends vitwalzation beyond the server othe network level © Key Features: + Low protie + PCl express 3.0 ‘Network vitualzation ofleads + Ethemet fow director ‘Network support for NAS and SAN on this product for (PB) Based on the research for ths assessment, the productiservice (PB) Based on the research for this assessment, the product (8) Based on he information available fortis assessment, ‘8-2020-00003-000125.15(1)- DEF 5.18(1)-14, 5.1642) RATING (PB) Based on the information avaiable fortis assessment, OVERALL SC! RISK RATING & MITIGATIONS (U) The results ofthis assessment are based on information provided to CSE as wel asthe requirements outed inthe governing MOU and solely adgress the requirements Seniiedin tvs request Ths assessment provides context-spectic advice and guidance fo mitigate the Specific threats related tothe products and services under consideration for procurement. CSE does not provide general assessments about Companies, nor make statements to ther GC departments or non-GC entities dictating procurement decisions. (U) this request includes @ Canadian company. a complete assessment was not completed. Based on CSE's current egal and policy framework, Canadian companies cannot be assessed by the (8) With the information provided fr tis specific cas, the supply chain risk associated with request (©) To minimize intrusions or the negative impacts to GC networks by malicious threat actors, ensure your department implements CSE's To 10/T Security Actions, PROTECTED B TEAR-LINE '8-2020-00003-00013,8.19(1)- DEF .15(1) 18 s.t6(2Ke) Request# Supermicro Servers Nov 23, 2018 07:27 Roquest Details (U) This actvty was conducted under the Memorandum of Understanding (MoU) between Shared Services Canal (SSC) and the ‘Communications Secunly Estabishment (CSE). The resus ofthis assessment ae based on information provided fo CSE ae well asthe requirements qutined in the governing MOU and solely address the requemenis dented in tis request, This assessment provides Context specific advice and guidance fo mitigate the specific threats related to the products and services under consideration for Procurement. CSE does not provide general assessments about companies, nor make statements to other GC departments or non-GC tenis dictating procurement decisions (8) looking to purchase the following servers from Supermicro + co4er + 1028R ASSESSMENT ute ‘assessment for this company was updated on 2018-11-21, [58342170]. (U) The country of rigin forthe company is determined tobe (PB) Based on the research for this assessment the vendorleuppler (8) Based on the research for this assessment, the company (P®) Based on the research for his assessment, he vendorlsupplier ASSESSMENT (U) The SuperStorage 6048R and 1028R are Data Centers! grade storage systems. (U) Key features ince + Dual socket RS * Intel C612 chipset ‘Upto 278 ECC 3DS forthe 6048R, 3TB for tne 1028R * legrated IPMI 2.0 and KVM with dedicated LAN (8) Based on the research for ths assessment, (8) Based on the research for ths assessment, ‘8-2020-00003-000148.15(1)- DEF s.15(1) 18 s.16(2}0) (8) Based on the information avaiable for this assessment, RATING (8) Based onthe information avaiable for this assessment, ‘TEARLINE, PROTECTED B OVERALL SC! RISK RATING & MITIGATIONS (U) The results ofthis assessment are based on information provided to CSE as wel asthe requirements outined inthe governing MOU and solely aderess the requirements identified inthis request. This assessment provides context-spectic advice and guidance fo mitigate the Specific threats related tothe products and services under consideration for procurement. CSE does not provide general assessments about Companies, nor make statements to ther GC depariments or non-GC entities dictating procurement decisions. (Uf this request includes a Canadian company, a complete ‘assessment was not completed. Based on CSE's curent legal and policy framework, Canadian companies cannot be assessed by the (8) With the information provided for this specific case, the supply chain risk associated with request # (©) To minimize intrusions or the negative impacts o GC networks by malicious threat actors, ensure your department implements CSE's To 10/T Security Actions, PROTECTED B TEAR-LINE '8-2020-00003-00015,'9.48(1) - DEF 5.15(1)-14, 9.16(2\e) Request# Supermicro Servers Nov 22, 2018 10:04 Roquest Details (U) This actvty was conducted under the Memorandum of Understanding (MoU) between Shared Services Canal (SSC) and the ‘Communications Secunly Estabishment (CSE). The resus ofthis assessment ae based on information provided fo CSE ae well asthe requirements qutined in the governing MOU and solely address the requemenis dented in tis request, This assessment provides Context specific advice and guidance fo mitigate the specific threats related to the products and services under consideration for Procurement. CSE does not provide general assessments about companies, nor make statements to other GC departments or non-GC tenis dictating procurement decisions (8) looking to purchase the following servers from Supermicro + opTIMIZED x100RU-+, ‘+ OPTIMIZED x10DRHT ASSESSMENT ute ‘assessment for this company was updated on 2018-11-21, [58342170]. (U) The country of rigin forthe company is determined tobe (PB) Based on the research for this assessment the vendorleuppler (8) Based on the research for ths assessment, (P®) Based on the research for his assessment, he vendorlsupplier ASSESSMENT (U) The X100RU++ and XT00RHT are avalabe in complete gerver configurations ony. (U) Key features ince + Dual socket RS * Intel C612 chipset ‘Upto 278 ECC 3DS forthe DRH, 3TB forthe DRU ‘+ legrated IPMI 2.0 and KVM with dedicated LAN (8) Based on the research for ths assessment, the productlservce (PB) Based on the research for his assessment, he product ‘8-2020-00003-000168.15(1)- DEF 8.18(1) 14 s.t6(2}) (8) Based on the information avaiable for this assessment, RATING (8) Based onthe information avaiable for this assessment, ‘TEARLINE, PROTECTED B OVERALL SC! RISK RATING & MITIGATIONS (U) The results ofthis assessment are based on information provided to CSE as wel asthe requirements outined inthe governing MOU and solely aderess the requirements identified inthis request. This assessment provides context-spectic advice and guidance fo mitigate the Specific threats related tothe products and services under consideration for procurement. CSE does not provide general assessments about Companies, nor make statements to ther GC depariments or non-GC entities dictating procurement decisions. (Uf this request includes a Canadian company, a complete ‘assessment was not completed. Based on CSE's curent legal and policy framework, Canadian companies cannot be assessed by the (8) With the information provided for this specific case, the supply chain risk associated with request # (©) To minimize intrusions or the negative impacts o GC networks by malicious threat actors, ensure your department implements CSE's To 10/T Security Actions, PROTECTED B TEAR-LINE '8.2020-00003-000175.18(1)- DEF .20(8)(0) Page | of | sete Repression etny ein to ttsate 9 commie” https:// 11410087 30/09/2020 '8-2020-00003-000188.45(1) -DEF UNCLASSIFIED From: Sent: October 5, 2018 1:20 PM To: Subject: RE: CCCS-CB2018-000-Template Classification: UNCLASSIFIED https:// 18996058 Threat Analysis & Operational Coordination Canadian Centre for Cyber Security CANADIAN CENTRE... | CENTRE CYBER SECURITY CYBERSECURITE IMPORTANT ~ FOR RECIPIENTS IN EXTERNAL DEPARTMENTS / AGENCIES: This document is the property of the originating agency and has been provided for your INTERNAL USE ONLY. The originating agency must be consulted prior to further dissemination, in whole or in part, or any disclosure under the ATIA or PA. IMPORTANT ~ POUR LES DESTINATAIRES AU SEIN DE MINISTERES ET D’ORGANISMES EXTERNES: Le présent document est la propriété exclusive de l’organisme d'origine et vous a été fourni pour un USAGE INTERNE SEULEMENT. Vous devez consulter l'organisme avant de diffuser le présent document, en tout ou en partie, et avant toute divulgation selon la loi sur V'accés l'information ou la loi sur la protection des renseignements personnels. Sent: October-05-18 10:33 AM To: ‘Subject: CCCS-CB2018-000-Template @eyber.gc.ca> Classification: UNCLASSIFIED << File: CCCS-CB2018-000-Template.docx >> UNCLASSIFIED 1 ‘8-2020-00003-000198.45(1) -DEF UNCLASSIFIED From: Sent: October 5, 2018 1:26 PM To: Subject: RE: CCCS-CB2018-000-Template Classification: UNCLASSIFIED Looks good ~ please remove the Reuters link, and then forwardto for approval, ‘Manager/Gestionnaire Threat Analysis & Operational Coordination Uanalyse des Ménaces & Coordination Operationelle Canadian Centre for Cyber Security Centre canadien pour la cybersécurité From: Sent: October-05-18 1:20 PM To: Beyber.ge.ca> Subject: RE: CCCS-CB2018-000-Template Classification: UNCLASSIFIED https:// 18996058 Threat Analysis & Operational Coordination Canadian Centre for Cyber Security << OLE Object: Picture (D Independent Bitmap) >> IMPORTANT — FOR RECIPIENTS IN EXTERNAL DEPARTMENTS / AGENCIES: This document is the property of the originating agency and has been provided for your INTERNAL USE ONLY. The originating agency must be consulted prior to further dissemination, in whole or in part, or any disclosure under the ATIA oF PA. IMPORTANT ~ POUR LES DESTINATAIRES AU SEIN DE MINISTERES ET D’ORGANISMES EXTERNES: Le présent document est la propriété exclusive de l’organisme d'origine et vous a été fourni pour un USAGE INTERNE SEULEMENT. Vous devez consulter l'organisme avant de diffuser le présent document, en tout ou en partie, et avant toute divulgation selon la loi sur 'accés a l'information ou la loi sur la protection des renseignements personnels. From: UNCLASSIFIED 1 '8-2020-00003-00020,8.15(1)- DEF UNCLASSIFIED Sent: October-05-18 10:33 AM To: @cyber.gc.ca> Subject: CCCS-CB2018-000-Template Classification: UNCLASSIFIED <<< File: CCCS-CB2018-000-Template.docx >> UNCLASSIFIED 2 '8-2020-00003-000215.15(1) - DEF UNCLASSIFIED From: Sent: October 5, 2018 1:58 PM To: ce: TEC Subject: FW: CCCS-CB2018-000-Template Classification: UNCLASSIFIED Here's a link to the Cyber Bulletin for approval. https:/ 18996058 Regards, Threat Analysis & Operational Coordination Canadian Centre for Cyber Security CANADIAN CENTRE... | CENTRE CANADIENS: CYBER SECURITY CYBERSECURITE IMPORTANT ~ FOR RECIPIENTS IN EXTERNAL DEPARTMENTS / AGENCIES: This document is the property of the originating agency and has been provided for your INTERNAL USE ONLY. The inating agency must be consulted prior to further dissemination, in whole or in part, or any disclosure under the ATIA or PA. IMPORTANT — POUR LES DESTINATAIRES AU SEIN DE MINISTERES ET D/ORGANISMES EXTERNES: Le présent document est la propriété exclusive de 'organisme dorigine et vous a été fourni pour un USAGE INTERNE SEULEMENT. Vous devez consulter organisme avant de diffuser le présent document, en tout ou en partie, et avant toute divulgation selon la loi sur ’acces & information ou la loi sur la protection des renseignements personnels. Sent: October-05-18 1:26 PM To: Subject: RE: CCCS-CB2018-000-Template @cyber.gc.ca> Classification: UNCLASSIFIED Looks good ~ please remove the Reuters link, and then forward to for approval. UNCLASSIFIED 1 '8-2020-00003-000225.15(1)- DEF UNCLASSIFIED Manager/Gestionnaire Threat Analysis & Operational Coordination analyse des Ménaces & Coordination Operationelle Canadian Centre for Cyber Security Centre canadien pour la cybersécurité From: Sent: October-05-18 1:20 PM To: Beyber.ge.ca> Subject: RE: CCCS-CB2018-000-Template Classification: UNCLASSIFIED https:// 13996058 Threat Analysis & Operational Coordination Canadian Centre for Cyber Security << OLE Object: Picture (Device Independent Bitmap) >> IMPORTANT ~ FOR RECIPIENTS IN EXTERNAL DEPARTMENTS / AGENCIES: This document is the property of the originating agency and has been provided for your INTERNAL USE ONLY. The inating agency must be consulted prior to further dissemination, in whole or in part, or any disclosure under the ATIA or PA. IMPORTANT — POUR LES DESTINATAIRES AU SEIN DE MINISTERES ET D/ORGANISMES EXTERNES: Le présent document est la propriété exclusive de organisme dorigine et vous a été fourni pour un USAGE INTERNE SEULEMENT. Vous devez consulter organisme avant de diffuser le présent document, en tout ou en partie, et avant toute divulgation selon la lot sur ’accés & information ou la loi sur la protection des renseignements personnels. From: Sent: October-05-18 10:33 AM To: Beyber.ge.ca> Subject: CCCS-CB2018-000-Template Classification: UNCLASSIFIED << File: CCCS-CB2018-000-Template.docx >> UNCLASSIFIED 2 '8-2020-00003-00023,s.16(2y) CYBER BULLETIN - MEDIA INTEREST EVENT “This notification is only for distribution within the Government of Canada (see handling instructions below) Incident Number: CB18-003-— — Media Interest Description of incident: CCCS is aware of open source reports outlining a potentially serious security issue with circuit boards supplied by Super Micro Computer, Inc., one to the world's largest suppliers of server motherboards. In the report, researchers discovered the presence of a potentially malicious microchip in the circuit boards Used globally, Also, according to media reports, a number of companies have denied any compromise affecting their equipment. As attributed, this represents a potential supply chain risk which CCCS is assessing, At present, CCCS is not aware of any reports of Canadian entities affected by this activity Sources of reporting: https /www_bloombera,cominews/features/2018-10-04the-big-hack-how-china-used-a-tiny-chip-to- infitrate-america-s-top-companies?srnd=premium-canada Current actions: CCS is analyzing this issue to determine the validity of the claims and if there are implications for the Government of Canada or other systems of importance to Canada, Disclaimer: Distribution of this report remains under the control of the Communications Security Establishment (CSE). Itis provided on condition that itis used by Government of Canada departments and agencies. It is not to be re-classified, copied, or resubmitted outside the above mentioned organizations without the express permission of CSE. For the purposes of Access to Information Act requests, the originator will maintain and provide an official copy of this notification ‘6-2020-00003-00024Page 25 is a duplicate est un duplicataPage 26 is a duplicate est un duplicata8.18(1)- DEF UNCLASSIFIED February 26, 2019 8:19 AM IBM says it fixed flaw that let cloud servers to be backdoored. Researcher isn't so sure Classification: UNCLASSIFIED FYSA, “More than five years have passed since researchers warned of the serious security risks that a widely used administrative tool poses to servers used for some of the most sensitive and mission-critical computing. Now, new research shows how baseboard management controllers, as the embedded hardware is called, threaten premium cloud services from IBM and possibly other providers. In short, BMCs are motherboard-attached microcontrollers that give extraordinary control over servers inside datacenters. Using the Intelligent Platform Management Interface, admins can reinstall operating systems, install or modify apps, and make configuration changes to large numbers of servers, without physically being on premises and, in many cases, without the servers being turned on. In 2013, researchers warned that BMCs that came preinstalled in servers from Dell, HP, and other name-brand manufacturers were so poorly secured that they gave attackers a stealthy and convenient way to take over entire fleets of servers inside datacenters.” Reference: https://arstechnica.com/information-technology/2019/02/supermicro-hardware-weaknesses-let- researchers-backdoor-an-ibm-cloud-server/ Incident Management and Operational Coordination / Gestion des incidents et la coordinations opérationnelle oyber.gcca | Canadian Centre for Cyber Security | Centre canadien pour la cybersécurité UNCLASSIFIED 1 ‘8.2020-00003~-000278.15(1)- DEF UNCLASSIFIED October 4, 2018 10:39 AM Castonguay, Francis J; Gupta, Rajiv C; FYSA Classification: UNCLASSIFIED hiteps://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate- america-s-top-companies?srd=premium-canada In case you are asked if you are aware of this. UNCLASSIFIED 1 ‘8-2020-00003-00028'5.18(1)- DEF .19(1) UNCLASSIFIED From: Sent: October 10, 2018 9:17 AM To: Subject: RE: INPUT REQUIRED please: Report - “The Big Hack: How China Used a Tiny Chip to Infiltrate US Companies" [REQ-9745] Classification: UNCLASSIFIED @cyber.gc.ca>; @cyber.gc.ca>; @cyber.gc.ca>; @cyber.gc.ca>; @cyber.ge.ca>; @cyber.ge.ca>; @cyber.gc.ca>; @cyber.gc.ca>; @cyber.gc.ca>; @cyber.gc.ca>; @cyber.gc.ca> ‘Subject: RE: INPUT REQUIRED please: Report - "The Big Hack: How China Used a Tiny Chip to infiltrate US Companies" [REQ-9745] Classification: UNCLASSIFIED The Register has published a good rundown of the Bloomberg report, and the subsequent denials from Apple, Amazon, and SuperMicro: httos://www.theregister.co,uk/2018/10/04/supermicro_bloomberg/ @cyber.ge.ca>; @cyber.ge.ca>; @cyber.gc.ca>; @cyber.gc.ca>; @cyber.gc.ca>; @eyber.gcca>, | _ @cyber.gc.ca>; @cyber.ge.ca>; @cyber.gc.ca>, Beyber.ge.ca>; @cyber.gc.c Subject: RE: INPUT REQUIRED please: Report - "The Big Hack: How China Used a Tiny Chip to infiltrate US Companies” [REQ-9745] Classification: UNCLASSIFIED UNCLASSIFIED 1 ‘8-2020-00003-000298.45(1)- DEF UNCLASSIFIED ‘Boyber.gc.ca>; Boyber.gc.ca>; @oyber.gc.ca>; ‘@oyber.ge.cat Beyber.ge.ca>; @oyber.gc.ca>; Boyber.gc.ca>; @cyber.gc.ca>; Deyber.ge.ca>; @ @cxt Subject: RE: INPUT REQUIRED please: [REQ-9745] qd @cyber.gc. teport - "The Big Hack: How China Used a Tiny Chip to Infiltrate US Companies” Classification: UNCLASSIFIED noted that enquiries like this should go up to corporate comms as we are likely to receive many questions about it. ‘As suggested, I'l go back to the Triage Team and ask them to respond with a "thank you for your interest, please check our website where further information will soon be available” Thanks for the feedback! From: Sent: October-04-18 12:36 PM To: eyber.ge.ca>s < Beyber.gc.ca>i Boyber.2c.ca>; a @oyber.2c.ca>; @oyber acca; < @ ai eer @cyber.ge.ca>s @eyber.sc.ca>; < @cyber.ge.ca> Subject: RE: INPUT REQUIRED please: Report - "The Big Hack: How China Used a Tiny Chip to infiltrate US Companies" {REQ-9745] Classification: UNCLASSIFIED ‘Maybe we should re-order the questions to first determine their presence in Canada. That might help us filter through. these. E.g. if they are not headquarted in Canada or have a large presence in this country we could re-direct them to their regional cyber security centre. Senior Oyber Security Advisor /Conseiler Principal en Cybersécurité Partnerships / Partenariats Edward Drake Building ‘Seybecg.ca| CANADIAN CENTRE... | CENTRE CANADIEN‘ CYBER SECURITY CYSERSECURITE UNCLASSIFIED 2 '8-2020-00003-00030,8.45(1) -DEF 2.20480) UNCLASSIFIED From: Sent: October-04-18 12:26 PM To: Beyber.ec.ca>; < Boyber.sc.ca>; Boyber.gc.ca>; < @evt ‘@cyber.gc.c < Beyber.gc.ca>; @cyber.ge.ca>; < @oyber.g0.ca>; Beyber.gc.ca>; < @cyber.ge.ca> Subject: INPUT REQUIRED please: Report - "The Big Hack: How China Used a Tiny Chip to infiltrate US Companies” [REQ- 9745] Importance: High Classification: UNCLASSIFIED all, has helpfully shared the above-referenced article and encourages us to read it in depth. He has also requested Can you please advise if the response below is sufficient, Please amend as required. Dear Thank you for contacting the CCCS with this information Unfortunately, with organizations with whom we have sharing agreements in place. if you ore interested in partnering with us, please complete and return the questionnaire below so that we can determine if {@ partnership with your organization is the right fit for the CCCS at this time. What would you like out of a relationship with CSE? What cybersecurity problem(s) are you trying to solve? Where does your organization fit within the North American Industry Classification System (NAICS)? What is the corporate structure of your organization? (i.e. ownership, publicly traded, privately owned) Are you familiar with Canada’s Cyber Security Strategy? Are you familiar with CSE’s mandate and mission? Do you partner with other government agencies? If so, which ones? Where are your headquarters located? we enanes wen Do you have any international presence? Thanks From: Sent: October-04-18 9:53 AM To: Contact UNCLASSIFIED 3 '8-2020-00003-000318.15(1)-DEF 8.20(1)0) UNCLASSIFIED Subject: FW: Report - "The Big Hack: How China Used a Tiny Chip to infiltrate US Companies" [REQ-9745] Importance: High From: Date: Thursday, October 4, 2018 at 9:43 AM ‘Subject: Report - "The Big Hack: How China Used a Tiny Chip to Infiltrate US Companies" Please find below an extract and highlights of a Bloomberg article that was posted today. | encourage everyone to read itin depth. The Big Hack: How China Used a Tiny Chip to infiltrate U.S. Companies UNCLASSIFIED 4 ‘8-2020-00003-00032UNCLASSIFIED america-s-top-companies In 2015, Amazon.com Inc. began quietly evaluating a startup called Elemental Technologies, a potential acquisition to help with a major expansion of its streaming video service, known today as Amazon Prime Video. Based in Portland, Ore., Elemental made software for compressing massive video files and formatting them for different devices. Its technology had helped stream the Olympic Games online, communicate with the International Space Station, and funnel drone footage to the Central Intelligence Agency. Elemental’s national security contracts weren't the main reason for the proposed acquisition, but they fit nicely with Amazon's ‘government businesses, such as the highly secure cloud that Amazon Web Services (AWS) was building for the cla. To help with due diligence, AWS, which was overseeing the prospective acquisition, hired a third-party company to scrutinize Elemental's security, according to one person familiar with the process. The first pass uncovered troubling issues, prompting AWS to take a closer look at Elemental’s main product: the expensive servers that customers installed in their networks to handle the video compression. These servers were assembled for Elemental by Super Micro Computer Inc., a San Jose-based company (commonly known as Supermicro) that’s also one of the world’s biggest suppliers of server motherboards, the fiberglass-mounted clusters of chips and capacitors that act as the neurons of data centers large and small. In late spring of 2015, Elemental’s staff boxed up several servers and sent them to Ontario, Canada, for the third-party security company totest, the person says Nested on the servers’ motherboards, the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design. Amazon reported the discovery to U.S. authorities, sending a shudder through the intelligence community. Elemental’s servers could be found in Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. And Elemental was just one of hundreds of Supermicro customers. During the ensuing top-secret probe, which remains open more than three years later, investigators determined that the chips allowed the attackers to create a stealth doorway into any network that included the altered ‘machines, Multiple people familiar with the matter say investigators found that the chips had been inserted at factories run by manufacturing subcontractors in China. “Having a well-done, nation-state-level hardware implant surface would be like witnessing @ unicorn jumping over a rainbow,” says Joe Grand, a hardware hacker and the founder of Grand Idea Studio Inc. “Hardware is just so far off the radar, it’s almost treated like black magic.” -One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc. Apple was an important ‘Supermicro customer and had planned to order more than 30,000 of its servers in two years for anew global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons. _A notable exception was AWS's data centers inside China, which were filled with Supermicro-built servers, according to two people with knowledge of AWS’s operations there, Mindful of the Elemental findings, ‘Amazon’s security team conducted its own investigation into AWS's Beijing facilities and found altered motherboards there as well, including more sophisticated designs than they'd previously encountered. In one case, the malicious chips were thin enough that they'd been embedded between the layers of fiberglass onto which the other components were attached, according to one person who saw pictures of the chips. That UNCLASSIFIED 5 ‘8-2020-00003-00033,.20(1)0) UNCLASSIFIED ‘generation of chips was smaller than a sharpened pencil tip, the person says. (Amazon denies that AWS knew of, servers found in China containing malicious chips.) UNCLASSIFIED 6 ‘6-2020-00003-00034