Amazon.com Inc has denied the Bloomberg report claiming their systems had been infiltrated by malicious computer chips inserted by Chinese spies.
On October 4, an article published by Bloomberg Businessweek titled: “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies” claimed an attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising Americas technology supply chain.
Apple Inc and Amazon.com Inc have issued statements denying the Bloomberg report. The story reported that malicious chips were planted by a unit of the Chinese People’s Liberation Army, which infiltrated the supply chain of computer hardware maker Super Micro Computer Inc. The operation is thought to have been targeting valuable commercial secrets and government networks, the news agency said.
An Amazon spokesperson stated: “As we shared with Bloomberg Businessweek multiple times over the last couple months, at no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems.? Additionally, we have not engaged in an investigation with the government.”
The Bloomberg article mentioned that at the time of acquisition in 2015, “AWS, which was overseeing the prospective acquisition, hired a third-party company to scrutinise Elementals security, according to one person familiar with the process. The first pass uncovered troubling issues, prompting AWS to take a closer look at Elementals main product: the expensive servers that customers installed in their networks to handle the video compression”.
Countering the claim, Steve Schmidt, Chief Information Security Officer, wrote in an AWS security blog on October 4: “First, when Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. As is typical with most of these audits, it offered some recommended areas to remediate, and we fixed all critical issues before the acquisition closed. This was the sole external security report commissioned. Bloomberg has admittedly never seen our commissioned security report nor any other (and refused to share any details of any purported other report with us).”
He continues in the blog: “The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data centre. This claim is similarly untrue. The first and most obvious reason is that we never found modified hardware or malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers in any of our data centers. And, this notion that we sold off the hardware and datacenter in China to our partner Sinnet because we wanted to rid ourselves of SuperMicro servers is absurd. Sinnet had been running these data centers since we ?launched in China, they owned these data centers from the start, and the hardware we sold to them was a transfer-of-assets agreement mandated by new China regulations for non-Chinese cloud providers to continue to operate in China.”
In its statement Apple said it had refuted “virtually every aspect” of the story in on-record responses to Bloomberg.
“Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” the company said.
Bloomberg continued to stand by its article stating: “Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks.”