Apple, Amazon Throw Shade on Supply Chain Hack Story

A report by Bloomberg alleging a massive operation by China’s Peoples Liberation Army (PLA) to plant spy hardware on servers used by some of the U.S.’s most high profile corporations is being refuted by tech vendors Apple as well as Amazon, who contend that no such compromises took place.

The report written by Jordon Robinson and Michael Riley and released Thursday says that PLA agents implanted tiny surveillance chips on server motherboards manufactured by Super Micro Computer. The devices, no larger than a pencil tip, could give Chinese agents access to and control over critical hardware used by Apple Computer, Amazon and other large, U.S. firms, including financial services firms and intelligence agencies, the report says.

[You might also want to read: Massive Facebook Breach Affects 90 Million Accounts]

If true, the incident would be one of the most serious uses of a so-called “supply chain” hack, in which sophisticated adversaries place malicious components on equipment that is then purchased and installed on target networks. The Bloomberg report cites “six current and former senior national security officials” who described to reporters the discovery of the chips and the government’s investigation of them. The reporters also spoke with what were described as “two people inside (Amazon Web Services)” who provided Bloomberg with “extensive information” on how the attack played out at Amazon and the firm Elemental, which Amazon acquired, leading to the discovery of the spy hardware. Bloomberg reporters also cite three Apple insiders who corroborated all or parts of the report.

In all, Bloomberg said it found 17 people who confirmed the manipulation of Supermicro’s hardware and other elements of the attacks, though those sources were granted anonymity.

[See also: Report: Cybercriminals target difficult-to-secure ERP systems with new attacks]

Both Apple and Amazon disputed the report in strongly worded and unequivocal statements Thursday.

“As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue,” wrote Stephen Schmidt, Amazon’s Chief Information Security Officer in a blog post that called the Bloomberg report “erroneous.” “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government,” Schmidt wrote.  “There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count.”

Schmidt’s statement categorically denies most of the claims in the Bloomberg report. Among them: that Amazon discovered modified chips and hardware during its due diligence on Elemental, a video streaming startup based in Portland, Oregon. Amazon also denied claims that the company had traced the malicious chips back to a Beijing data center. “We never found modified hardware or malicious chips in servers in any of our data centers.”

Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners. We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment.

Apple also issued a strongly worded statement refuting assertions made in the Bloomberg story and accusing Bloomberg of pushing ahead despite company denials.

“We have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple,” the company said.

The company “has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” the statement reads, nor has the company had contact with the FBI or any other agency about such an incident,” Apple said.

“We are deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed,” Apple said.

The rancorous back and forth leaves the substance of the Bloomberg piece in doubt. In the short term, however, it is almost certain to play into tensions between the Trump Administration and the government of China. Already on Thursday, Vice President Mike Pence accused Chinese security agencies of “masterminding the wholesale theft of American technology, including cutting-edge military blueprints.” It is unclear whether the comment was related to the Bloomberg report.