A Bloomberg Businessweek investigation found that Chinese operatives managed to insert microchips, no bigger than a grain of rice, into hardware supplied to the United States firm Supermicro, described as one of the world's biggest sellers of server motherboards.
USA officials long have anxious about the potential for altered microchips or other components to be secretly inserted into products and shipped to the United States and elsewhere, opening doors to long-term spying on computer users and their information networks. As for Super Micro, it denied that it introduced the chips during the manufacturing phase.
Neither AWS, Super Micro nor the Chinese foreign ministry immediately responded to requests for further comment.
Super Micro also rejected Bloomberg's reporting. Super Micro servers were removed by Apple that year, according to the report, which also asserts ties with Super Micro were severed in 2016. The Post, which is owned by Amazon CEO Jeff Bezos, also cast doubt on the claim, but cited a US government official who initially confirmed the story before backtracking. The company first discovered the chips in Supermicro servers in May 2015 and informed the Federal Bureau of Investigation about it. Apple planned on using these servers from Supermicro for its iCloud services.
"We are deeply disappointed that in [Bloomberg's] dealings with us, Bloomberg's reporters have not been open to the possibility that they or their sources might be wrong or misinformed".
Apple took Bloomberg to task, saying the agency had contacted it "multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident". "We are not aware of any investigation by the FBI, nor are our contacts in law enforcement".
The report of Chinese hacking chips being systematically added to servers produced in China comes after Donald Trump's administration has placed tariffs on technology components being imported from China. None of those servers has ever been found to hold malicious chips.
In response to the breaking news, Apple wrote, "As a matter of practice, before servers are put into production at Apple they are inspected for security vulnerabilities and we update all firmware and software with the latest protections".
Super Micro Computer said it was "not aware" of any government investigation into the issue and no customer had stopped using its products because of fears about Chinese hackers. The report says that the chips would connect to certain remote systems to receive instructions and could then do things like modify the running operating system to remove password validation, thereby opening a machine up to remote attackers. In a statement to CNBC, Apple said it found a single infected driver on one Super Micro server in a lab, calling it a one-time event. Some said that certain allegations were plausible, but that the strong denials from companies cited in the piece left them with doubts about whether the attacks had happened.
Apple, however, says the report is bogus.
Supermicro for its part has also issued a statement refuting the claims in the report. However, the report is supported by six anonymous current and former senior national security officials. It even confirmed this information with three Apple insiders.