Apple and Amazon have issued a detailed response to Bloomberg‘s detailed report on how China managed to hack into the servers of nearly 30 US-based companies, including government agencies. The report talks of a comprehensive attack which relied on inserting a tiny microchip in servers during the manufacturing process itself.
Apple and Amazon have both disputed the claims by Bloomberg. Here’s a detailed look at what has happened so far.
What did the report say about this China hacking of US companies like Apple and Amazon?
According to Bloomberg, servers from a company called Supermicro, which had clients like Apple and Amazon, were infected with a tiny microchip. This allowed Chinese agencies access to the devices. The chips were planted at a manufacturing level, and allowed for a hardware level attack, which is one of the hardest to carry out.
The report says the spy chips infected thousands of servers, including the ones used by Department of Defense data centres, the CIA’s drone operations, and the onboard networks of Navy warships. Supermicro, which is based in the US, is one of the biggest server suppliers, which is why this attack was so widespread, the report says.
In fact, Amazon Web Services (AWS) had planned to acquire company called Elemental, which relied on servers from Supermicro. Amazon discovered the malicious chips in 2015 when servers from Elemental were sent for third-party security checks.
These tiny chips “had been inserted during the manufacturing process,” noted two officials, according to Bloomberg. China’s People’s Liberation Army is believed to have carried out this operation, it adds.
The attack impacted 30 companies, “including a major bank, government contractors, and the world’s most valuable company, Apple Inc,” notes the report.
Apple found the malicious chips in 2015, and then severed ties with Supermicro in 2016, says the report. No clear reasons were given for this, claims the report.
While both Apple and Amazon have denied the charges, Bloomberg reports that six current and former senior national security officials are countering these claims. However, these officials have not been named given the investigation is classified.
The report says that the microchip “could also contact computers controlled by the attackers in search of further instructions and code.” It also notes that Apple informed the FBI after discovering malicious chips in May 2015, but did not reveal much information. However, when Amazon also found the issue, it gave US officials access to the impacted hardware, which made it easier to investigate the problem.
What is Apple’s response to this China server hacking story?
Apple denies that any “malicious chips” were present in its servers on its network in 2015. In a statement posted on the Apple website, the company says that it has denied these claims to the Bloomberg reporters and editors over the past 12 months.
“There is no truth to these claims,” reads the statement.
“Over the course of the past year, Bloomberg has contacted us multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident at Apple. Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them. We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple,” it adds.
Apple is firmly denying it found malicious chips on servers or that it contacted FBI or any other government agency. Apple also denied that it tried to restrict any FBI investigation.
The statement adds, “Our best guess is that they are confusing their story with a previously-reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs. That one-time event was determined to be accidental and not a targeted attack against Apple.”
Apple says no one at the company has heard of this investigation claimed by Bloomberg. It also denied being “under any kind of gag order or other confidentiality obligations.”
What does Amazon have to say on Bloomberg’s report on China hacking ?
Just like Apple, Amazon is denying the claims made in the article about malicious servers being used on Amazon Web Services.
The statement says that Bloomberg’s report is untrue. “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government,” Amazon said.
Amazon pointed out that when it was trying to acquire Elemental, they also “commissioned a single external security company to do a security assessment for us as well”. The company says the report did not find “any issues with modified chips or hardware”.
Other critical issues pointed out in the audit were fixed, according to Amazon.
The statement denies that it “conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data center.”
“This claim is similarly untrue,” said Amazon Web Services. “We never found modified hardware or malicious chips in servers in any of our data centers.”
“Amazon employs stringent security standards across our supply chain – investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners… AWS is trusted by many of the world’s most risk-sensitive organizations precisely because we have demonstrated this unwavering commitment to putting their security above all else,” wrote Steve Schmidt, Chief Information Security Officer of Amazon Web Services.