Yesterday afternoon Bloomberg published an eye opening report entitled 'The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies'. It detailed how Chinese spies got 'God Mode' access within almost 30 American tech companies including Apple and Amazon. In brief, the report explained how the Chinese PLA managed to install a tiny chip on a Supermicro motherboard component made in China, which would then be hidden in servers used in big American tech companies. The disguised or hidden spy chips were only noticed because Amazon employed a firm to undertake due diligence assessments on its AWS servers - the Chinese spy chip was, of course, not part of the component board original designs.
Via the implanted spy chips, "not much bigger than a grain of rice", Chinese hackers could subvert the hardware they were installed in, siphoning off data and letting new code into the system like a Trojan Horse virus. We don't have any record of what data might have been compromised but Bloomberg says that both Apple and Amazon worked quietly to remove compromised servers from their networks after the misspecification had been noted.
Apple, Amazon, Supermicro deny spy chip story
Within hours of the Bloomberg report, official statements have been released from all the big names involved in this story, including Apple, Amazon, Supermicro, and the Chinese Government. You can read the four respective statements on Bloomberg's own right-to-reply page here. If you go ahead and read the statement at that link, or via Apple's and Amazon's own press releases, you will see that they all say that Bloomberg's 'The Big Hack' story is untrue.
Apple asserts that it has "never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server." Amazon says that in its due diligence records there is no evidence that AWS knew about servers containing malicious chips or modifications in data centres based in China. Neiether did AWS work with the FBI to investigate or provide data about malicious hardware. Supermicro adds its voice with a similar statement, saying that it is "not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard". Lastly the Chinese Ministry of Foreign Affairs said it works with the international community "on tackling cybersecurity threats through dialogue on the basis of mutual respect, equality and mutual benefit" and supply chain safety is of great importance to China as it is also a victim.
Basically all named parties in Bloomberg's original story have come forward to refute it. Thus this story is in a state of flux and Bloomberg and/or its sources may have to come up with some more evidence of the original allegations. In the video below you will see that in the face of the denials Bloomberg is still "confident in the sourcing" of the original story. Perhaps there will be updates on this situation later today or over the weekend.