Apple, Amazon deny report malicious chip from Chinese spies entered supply chain

Apple Inc. and Amazondenied a Bloomberg report on Thursday that their systems contained malicious computer chips inserted by Chinese intelligence, according to the tech companies' statements released separately by Bloomberg.

Bloomberg Businessweek cited 17 unnamed intelligence and company sources as saying that Chinese spies had placed computer chips inside equipment used by around 30 companies, as well as multiple U.S. government agencies, which would give Beijing secret access to internal networks.

Representatives of Apple, Bloomberg, the FBI and Department of Homeland Security could not be reached for comment. An NSA spokesperson said she had no immediate comment.

China's foreign affairs ministry did not immediately respond to a written request for comment on Thursday. Beijing has previously denied allegations of orchestrating cyberattacks against Western companies.

Amazon Web Services said: "At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Super Micro motherboards in any Elemental or Amazon systems. Additionally, we have not engaged in an investigation with the government."

Apple said it had refuted "virtually every aspect" of the story in on-record responses to Bloomberg. "Apple has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server," the company said.

Bloomberg reported that the malicious chips were planted by a unit of the Chinese People's Liberation Army, which infiltrated the supply chain of a hardware company called Super Micro. The operation is thought to have been targeting valuable commercial secrets and government networks, the news agency said.

Bloomberg quoted Super Micro as saying it was not aware of the issues described in the report.

"While we would co-operate with any government investigation, we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard," Super Micro's statement said. "We are not aware of any customer dropping Super Micro as a supplier for this type of issue."

The company also noted that it does not design or manufacture networking chips and associated software used in its hardware, saying it procured them from leading networking companies.

A representative for Super Micro at its European headquarters in the Netherlands said the company was unable to provide immediate comment.

Super Micro operates out of San Jose and was founded in 1993 by a Taiwanese-born engineer.

Separate warning from U.S. government

Apple, according to the report, ended its business relationship with Super Micro in 2016.

Bloomberg reported that Amazon Web Services uncovered the malicious chips in 2015 when examining servers manufactured by a company known as Elemental Technologies, which AWS eventually acquired.

Amazon reported the matter to U.S. authorities, who determined that the chips allowed attackers to create "a stealth doorway" into networks using those servers, the story said.

AWS told Bloomberg it had taken another look its records related to the Elemental acquisition and "found no evidence to support claims of malicious chips or hardware modifications."

There have been increased concerns about foreign intelligence agencies infiltrating U.S. and other companies via so-called "supply chain attacks," particularly from China where multiple global tech firms outsource their manufacturing.

The U.S. government on Wednesday warned that a hacking group widely known as cloudhopper, which Western cybersecurity firms have linked to the Chinese government, has launched attacks on technology service providers in a campaign to steal data from their clients.

The warning came after experts with two prominent U.S. cybersecurity companies warned this week that Chinese hacking activity has surged amid the escalating trade war between Washington and Beijing.

With files from CBC News