Apple, Amazon Deny Bloomberg Report on Chinese Hardware Attack

Apple, Amazon Deny Bloomberg Report on Chinese Hardware Attack
The Apple Inc. store is seen in Los Angeles on Sept. 16, 2016. (Lucy Nicholson/Reuters)
Reuters
10/4/2018
Updated:
10/4/2018

Apple Inc. and Amazon.com Inc. denied a Bloomberg report on Oct. 4 that their systems had been infiltrated by malicious computer chips inserted by Chinese intelligence, according to statements from the companies released by Bloomberg.

Bloomberg Businessweek cited 17 unnamed intelligence and company sources as saying that Chinese spies had placed computer chips inside equipment used by about 30 companies and multiple U.S. government agencies, which would give Beijing secret access to internal networks.

Representatives of Apple, Bloomberg, the FBI, and Department of Homeland Security could not be reached for comment. An NSA spokeswoman said she had no immediate comment.

China’s Ministry of Foreign Affairs did not respond to a written request for comment. Beijing has previously denied allegations of orchestrating cyber attacks against Western companies.

Amazon Web Services said: “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Super Micro motherboards in any Elemental or Amazon systems. Additionally, we have not engaged in an investigation with the government.”

Apple said it had refuted “virtually every aspect” of the story in on-record responses to Bloomberg. “Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” the company said.

Bloomberg reported that malicious chips were planted by a unit of the Chinese People’s Liberation Army, which infiltrated the supply chain of computer hardware maker Super Micro Computer Inc. The operation is thought to have been targeting valuable commercial secrets and government networks, the news agency said.

Bloomberg quoted Super Micro as saying it was not aware of the issues described in the report.

“While we would cooperate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard,” Super Micro’s statement said. “We are not aware of any customer dropping Super Micro as a supplier for this type of issue.”

The company also noted that it does not design or manufacture networking chips and associated software used in its hardware, saying it procured them from leading networking companies.

A representative for Super Micro at its European headquarters in the Netherlands said the company was unable to provide immediate comment.

Bloomberg reported that Amazon Web Services uncovered the malicious chips in 2015 when examining servers manufactured by a company known as Elemental Technologies, which AWS eventually acquired.

The investigation found that Elemental servers, which were assembled by Super Micro, were tainted with tiny microchips that were not part of their design, Bloomberg said. Amazon reported the matter to U.S. authorities, who determined that the chips allowed attackers to create “a stealth doorway” into networks using those servers, the story said.

AWS told Bloomberg it had re-reviewed its records related to the Elemental acquisition and “found no evidence to support claims of malicious chips or hardware modifications.”

Bloomberg also reported that Apple in 2015 found malicious chips in servers it purchased from the hardware maker, then stopped doing business with Super Micro in 2016 for reasons that were not related, citing three unnamed company insiders.

Apple denied the account, saying it had investigated the claims.

“On this, we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” Apple told Bloomberg.

The report comes amid increased concerns that foreign intelligence agencies infiltrating U.S. and other companies via so-called “supply chain attacks”, particularly from China where multiple global tech firms outsource their manufacturing.

The U.S. government on Oct. 3 warned that a hacking group widely known as cloudhopper, which Western cybersecurity firms have linked to the Chinese government, has launched attacks on technology service providers in a campaign to steal data from their clients.

The warning came after experts with two prominent U.S. cybersecurity companies warned this week that Chinese hacking activity has surged amid the escalating trade war between Washington and Beijing.

By Jack Stubbs & Sweta Singh