Amazon, Apple deny Bloomberg's well-sourced report of a massive Chinese hardware hack

If you're two of the world's most popular and profitable companies — or, say, the United States government — a major intelligence attack by a foreign power is news worth denying, vehemently.

On Thursday, Bloomberg Businessweek published a highly-sourced cover story detailing a stunning attack by the Chinese government capable of infiltrating companies including Apple and Amazon, as well as US intelligence agencies, the mormon church, and the porn industry.

According to the report, Chinese spies placed microchips the size of a sharpened pencil tip in the Chinese-manufactured servers of one of the most prolific server-providers in the world, Supermicro. The disguised microchips allowed the government to "alter the operating system’s core so it could accept modifications," and "contact computers controlled by the attackers in search of further instructions and code." Essentially, the microchips provided Chinese spies a secret passageway into the networks of almost 30 companies.

Bloomberg Businessweek says it received confirmation of the attack from 17 people including government intelligence officials, and employees of Amazon and Apple.

But Supermicro, Amazon, and Apple are roundly denying the report. Bloomberg has published the full statements of the three companies in which all companies claim no knowledge of or involvement in any government investigation.

"Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple," the Apple statement reads.

"Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple."

Amazon and Supermicro provide similar statements.

The U.S. Department of Homeland Security issued a statement on Saturday:

The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely. Just this month – National Cybersecurity Awareness Month – we launched several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains. These initiatives will build on existing partnerships with a wide range of technology companies to strengthen our nation’s collective cybersecurity and risk management efforts.

Then, on Sunday, Apple's Vice President for Information Security George Stathakopoulos clarified why the company is so certain in its refutation of the report in a letter provided to Reuters.

"Apple’s proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found," Stathakopoulos wrote.

If Bloomberg's report is accurate, the attack would be devastating for the United States and the companies involved; it means that China has built a window into the very guts of United States government and business. So for the sake of national and consumer security, let's hope that Bloomberg is somehow mistaken.

But with corroboration from 17 independent sources stacked up against the interests of the world's two most valuable companies, the odds are not looking good.

UPDATE: Oct. 4, 2018, 12:33 p.m. EDT: Amazon released a public blog post emphatically refuting the Bloomberg story. Here is a small portion of the company's official statement:

"There are so many inaccuracies in ‎this article as it relates to Amazon that they’re hard to count ... Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners. We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment."

UPDATE: Oct. 4, 2018, 4:30 p.m. EDT: Super Micro Computer also released a statement refuting the Bloomberg story. Here is a small excerpt:

"Super Micro Computer, Inc. (SMCI), a global leader in enterprise computing, storage, networking solutions and green computing technology, strongly refutes reports that servers it sold to customers contained malicious microchips in the motherboards of those systems. ... Supermicro has never been contacted by any government agencies either domestic or foreign regarding the alleged claims."

UPDATED Oct 7, 2018, 5:17 p.m. ET with the DHS statement and update from Apple.