UPDATE 5 p.m. ET: Apple, Amazon, and Super Micro have all released scathing statements today refuting Bloomberg’s article.
“There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count,” Amazon Chief Information Security Officer Steve Schmidt wrote in a Thursday blog post. “We never found modified hardware or malicious chips in servers in any of our data centers.”
Claims that Amazon sold its Chinese server business due to the purported infection are “absurd,” he added.
Apple, meanwhile, said it has conducted “rigorous internal investigations” based on Bloomberg’s inquiries over the past year, and found no evidence of such an attack.
“Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” the iPhone maker wrote.
Similarly, Super Micro said it “has never found any malicious chips, nor been informed by any customer that such chips have been found.”
In what’s being called a major supply chain attack, Chinese spies used microchips “not much bigger than a grain of rice” to infiltrate nearly 30 US companies, including Amazon and Apple, according to a new Bloomberg report.
Citing 17 anonymous sources, the news outlet on Thursday reported that People’s Liberation Army operatives managed to add tiny, nefarious microchips to server motherboards manufactured by Super Micro. Not part of the motherboards’ original design, the malicious chips are believed to have been implanted at factories run by Chinese manufacturing subcontractors and designed to offer “long-term access to high-value corporate secrets and sensitive government networks.”
Apple, however, says the report is bogus.
“Apple is deeply disappointed that in their dealings with us, Bloomberg’s reporters have not been open to the possibility that they or their sources might be wrong or misinformed,” Apple told AppleInsider. “Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.”
Bloomberg’s sources claim that Apple removed about 7,000 Super Micro servers from its data centers in 2015 after discovering the malicious chips. The report notes that Amazon, a major bank, and government contractors also fell victim to the attack.
Amazon reportedly caught wind of the attack in 2015 during an evaluation of Elemental Technology, a startup it was looking to acquire. Bloomberg’s sources said an initial probe turned up “troubling issues,” leading the Amazon Web Services team to more closely examine Elemental’s server products. A third-party test of Elemental’s Super Micro-assembled servers turned up those tiny, malicious chips, a discovery Amazon reportedly shared with US authorities at the time.
US authorities kicked off a “top-secret” investigation, which is reportedly ongoing, the report notes.
Amazon, however, also disputes the story.
“It’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental,” Amazon said in a statement to Bloomberg.