A blockbuster Bloomberg report that Chinese spies infiltrated the networks of Amazon Web Services and Apple was met with unusually detailed pushback from two usually reticent companies Thursday.
In the report, Bloomberg cites several government and company sources that claim AWS discovered the tiny spy chips on servers built for Portland-based Elemental Technologies by a company called Supermicro when the cloud giant was evaluating whether to purchase the startup, which it did in 2015. At the time, Elemental had contracts with government customers like the CIA, and according to the report AWS reported the discovery to federal authorities.
However, in a statement provided to Bloomberg, AWS disputed that it was aware of any such chips and that it had worked with the FBI on the matter. It said it had reviewed documents surrounding the acquisition of Elemental and the third-party security audit that Bloomberg reported led to the discovery of the chips, and “we’ve found no evidence to support claims of malicious chips or hardware modifications.”
AWS later published a blog post by Steve Schmidt, chief information security officer for the cloud company. “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems,” he wrote.
According to the report, Apple also bought a number of servers from Supermicro, a Bay Area-based server company, around the same time. Bloomberg quoted “three senior insiders” as saying they had also discovered the tiny chips, which Bloomberg said were much smaller than a penny and were designed to transmit information back to China about the data flowing across the servers.
But Apple was also unusually direct in its refutation of Bloomberg’s report, which cited 17 sources inside the U.S. government and the affected companies detailing the manipulation of Supermicro’s motherboards while they were being manufactured in China.
“On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident,” the company said in a statement provided to Bloomberg.
Rumors of spy chips and bugs have floated around the hardware industry for years. Nearly all the critical parts of a server are made and assembled in China or Taiwan, and China’s espionage operation has targeted the tech industry before, such as in 2010 when hackers believed to be working on behalf of the Chinese government infiltrated Google.
For its part, Supermicro also said it was unaware of any investigation into its products and said it had not been contacted by “any government agency.” According to the report, AWS and Apple stopped buying servers from Supermicro in 2016, and soon thereafter Supermicro told investors that it had lost “two major customers.” No one disputed that.
[Editor’s note: This post was updated to include a blog post from AWS.]