A Bloomberg Businessweek report last Thursday claimed that a Chinese military unit hid microchips in multiple Super Micro Computer Inc (Supermicro) server motherboards in widespread use at U.S. companies. The Department of Homeland Security released a statement this weekend supporting Apple and Amazon’s statements denying the report, saying “at this time we have no reason to doubt the statements from the companies named in the story.”
The Bloomberg report claimed that the microchips, each the size of a pencil tip and allegedly ended up in server boards used by almost 30 companies as well as government agencies, compromised entire data centers operated by Amazon and Apple. The report said that U.S. investigators found out that after Chinese agents operating on behalf of the People’s Liberation Army had used a combination of subterfuge, bribery, and threats to place the compromising chips during various stages of the Supermicro supply chain, they would have been nearly impossible to detect and given backdoor access to all systems they were planted in.
One official cited says investigators eventually discovered that the infiltration affected nearly 30 companies, including a major bank, government contractors, and the trillion dollar company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.
Both Apple and Amazon fervently deny the claims, per the Verge:
Both Amazon and Apple strongly refute the story. Amazon says it is “untrue” that it knew of “servers containing malicious chips or modifications in data centers based in China,” or that it “worked with the FBI to investigate or provide data about malicious hardware.” Apple is equally definitive, telling Bloomberg: “On this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
Apple staff separately told BuzzFeed News that the company had conducted a detailed investigation into the allegations of the Bloomberg report and found absolutely no corroborating evidence:
“We tried to figure out if there was anything, anything, that transpired that’s even remotely close to this,” a senior Apple security executive told BuzzFeed News. “We found nothing.”
A senior security engineer directly involved in Apple’s internal investigation described it as “endoscopic,” noting they had never seen a chip like the one described in the story, let alone found one. “I don’t know if something like this even exists,” this person said, noting that Apple was not provided with a malicious chip or motherboard to examine. “We were given nothing. No hardware. No chips. No emails.”
According to Reuters, Apple’s retired chief counsel Bruce Sewell stated that he was reassured by the FBI’s then-general counsel James Baker there was no substance to the report immediately after he had learned of Bloomberg’s investigation last year.
“I got on the phone with him personally and said, ‘Do you know anything about this?,” Sewell told Reuters. “He said, ‘I’ve never heard of this, but give me 24 hours to make sure.’ He called me back 24 hours later and reassured Sewell, ‘Nobody here knows what this story is about.’”