Apple Inc and Amazon.com Inc denied a Bloomberg Businessweek report on Thursday that said their systems had been infiltrated by malicious computer chips inserted by Chinese intelligence agents.
Bloomberg cited 17 unidentified sources from intelligence agencies and business to support claims that Chinese spies had placed computer chips inside equipment used by about 30 companies and multiple US government agencies, which would give Beijing secret access to internal networks.
"In Supermicro, #China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies." https://t.co/d0gzZxZZsd
— Nick Short (@PoliticalShort) October 4, 2018
China’s Ministry of Foreign Affairs did not respond to a written request for comment. Beijing has previously denied allegations of orchestrating cyber attacks against Western companies.
Security experts who have worked for government agencies and large corporations told Reuters that they were surprised by the stark discrepancy between the claims in the Bloomberg article and the strongly worded denials from Apple and Amazon.com Inc’s Amazon Web Services. Some said that certain allegations were plausible, but that the strong denials from companies cited in the piece left them with doubts about whether the attacks had happened.
“There is no truth” to claims in the story that Apple found malicious chips in its servers in 2015, the said in a statement. “This is untrue,” Amazon said in a blog post.
Bloomberg defended its reporting.
“Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks,” Bloomberg said in a statement. “We stand by our story and are confident in our reporting and sources.”
The report said that a unit of the Chinese People’s Liberation Army infiltrated the supply chain of computer hardware maker Super Micro Computer Inc to plant malicious chips that could be used to steal corporate and government secrets.
Super Micro Computer shares fell 38% to $13.26 in Pink Sheet trading.
San Jose, California-based Super Micro strongly denied that it sold servers to customers contained malicious microchips in the motherboards of those systems. It said it has never found any malicious chips, had not been informed that such chips were found by any customer, and never been contacted by government agencies on the matter.
Bloomberg reported that Amazon uncovered the malicious chips in 2015 when examining servers manufactured by a company known as Elemental Technologies which Amazon eventually acquired.
The investigation found that Elemental servers, which were assembled by Super Micro, were tainted with tiny microchips that were not part of their design, Bloomberg said. Amazon reported the matter to US authorities, who determined that the chips allowed attackers to create “a stealth doorway” into networks using those servers, the story said.
AWS told Bloomberg it had reviewed its records related to the Elemental acquisition and “found no evidence to support claims of malicious chips or hardware modifications.”
Bloomberg also reported that Apple in 2015 found malicious chips in servers it purchased from the hardware maker, citing three unidentified company insiders.
Apple denied the account, saying it had investigated Bloomberg’s claims.
Representatives with the Federal Bureau of Investigation and the US Department of Homeland Security did not respond to requests for comment. A US National Security Agency spokeswoman said she had no immediate comment.
While the companies disputed the facts in the story, security experts noted that there is growing concern that hackers could launch cyber attacks by inserting malicious chips into hardware sold to government agencies and businesses.
“Extended, complex, global supply chains create a risk for malicious cyber activity that companies must take into account,” said Michael Daniel, chief executive of the non-profit Cyber Threat Alliance.