US and UK security agencies have said they have “no reason to doubt” Amazon and Apple declarations that they have not been victims of a major supply chain security breach.
The two tech companies were named in a Bloomberg article claiming both had bought critical server hardware that had been tampered with by Chinese authorities during its manufacturing process.
Both firms and the hardware supplier Supermicro forcefully denied the allegations.
The Bloomberg article describes a serious vulnerability built into hardware used by Amazon’s cloud computer division Amazon Web Services (AWS), some Apple servers and some critical public sector organisations including the US Department of Defence and the Central Intelligence Agency.
The article cites 17 anonymous sources, including people inside the companies involved and US officials, who claim the server hardware had been tampered with. It claimed tiny microchips – the size of a grain of rice – were added to server motherboards by the Chinese government at factories run by subcontractors in China.
It said the exploit could allow access into networks that contained the compromised servers.
The Bloomberg report also claimed there is an ongoing “top secret” probe into the matter being run by US authorities.
However, UK’s National Cyber Security Centre (NCSC) told Reuters it had “no reason do doubt the detailed assessments made by AWS and Apple” that it said showed they had not been affected by the alleged hack.
A day later the US Department of Homeland Security said: “At this time we have no reason to doubt the statements from the companies named in the story.”
Apple has also written to US Congress to dispute the claims.
Amazon told Bloomberg it was “untrue that AWS knew about servers containing malicious chips or modifications… or that AWS worked with the FBI to investigate or provide data about malicious hardware”.
Apple said it had “never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server”.
China’s Ministry of Foreign Affairs also disputed the Bloomberg article, telling the publication it was both a “resolute defender of cybersecurity” as well as being “also a victim” of cyber attacks.
☛ Want to stay up to date with the news? Sign up to our daily bulletin.