Amazon, Super Micro Join Apple In Demanding Retraction Of Bloomberg Story On Hacked Server Boards

Networking cables in a server room in New York (stock photo). (Photo: Michael Bocchieri, Getty Images)

A report earlier this month from Bloomberg Businessweek alleging 17 unnamed sources had confirmed Chinese spies infiltrated the supply chain of microchip manufacturer Super Micro, installing tiny espionage chips that allowed them to wiretap systems belonging to almost 30 U.S. companies, has earned denials from Homeland Security, Apple, and Amazon. Now executives from Super Micro and Amazon are following Apple CEO Tim Cook’s lead and publicly demanding a retraction of the story, the Verge reported Monday.

Apple had previously denied the story, including in letters to Congress. Cook told BuzzFeed News there was “no truth” in the story last week, saying “They need to do the right thing” and retract the piece. Now Amazon Web Services chief Andy Jassy as well as Super Micro CEO Charles Liang have issued similar calls.

“@tim_cook is right. Bloomberg story is wrong about Amazon, too,” Jassy tweeted. “They offered no proof, story kept changing, and showed no interest in our answers unless we could validate their theories. Reporters got played or took liberties. Bloomberg should retract.”

“Bloomberg should act responsibly and retract its unsupported allegations that malicious hardware components were implanted in our motherboards during the manufacturing process,” Liang told CNBC’s Steve Kopack. “...Bloomberg has not produced a single affected motherboard, we have seen no malicious hardware components in our products, no government agency has contacted us about malicious hardware components, and no customer has reported finding any malicious hardware components, either.”

In a separate letter from Super Micro to the Securities and Exchange Commission obtained by the Wall Street Journal, the company added, “despite the lack of any proof that a malicious hardware chip exists, we are undertaking a complicated and time-consuming review to further address the article.”

Super Micro’s stock plummeted following the original story.

While the denials are unusually strong—and scepticism has built in some quarters about the allegations—Bloomberg has stood by the story, publishing an additional account from security expert Yossi Appleboum that he had discovered a bugged Super Micro ethernet connector in the server of a major telecom. (Appleboum, though, also said he had found similar gear before and that such security holes affect the entire “Chinese supply chain.”) Bloomberg also insisted that the DHS denial was not ironclad because a separate agency, the FBI, ran the investigation into the bugged equipment, the Register wrote:

That is a plausible explanation. It is also possible that Apple and Amazon have walled-off security arms that do not communicate with the larger corporate body and it is they that discovered the spy chip and worked with intelligence agencies. Such a corporate disassociation would provide a buffer that enables executives to deny their activities or findings.

Just as likely however is that Bloomberg’s reporters made mistakes in their reporting and the organisation failed to adequately fact check the article. Or that they stumbled on an intelligence misinformation campaign and have been effectively reporting its effectiveness within certain groups of people.

No physical examples of the allegedly bugged equipment have yet turned up.

The original report seemed to match up with other concerns from Western governments and companies that Chinese manufacturers could be compromised by intelligence operatives. Best Buy, for example, stopped selling Huawei devices earlier this year, and Chinese companies may be shut out of bidding on U.S. 5G network expansion contracts. U.S. lawmakers have also warned that networking equipment produced by Huawei and ZTE pose a national security threat, though the companies involved have denied the allegations.

Chinese hackers allegedly stole trade secrets from U.S. companies for years before a 2015 international agreement seemed to cool the trend. (According to Axios, CrowdStrike co-founder Dmitri Alperovitch said the cyberattacks seem to have picked up again starting last year.) But many of the more recent allegations have come at a time when Donald Trump’s decision to start trade war has already strained relations with China, and the primary short-term impact of the espionage allegations has been to add fuel to the fire. In that sense, it’s been difficult to separate accusations founded in truth from those that may be bluster.

With the major companies involved united in demanding a retraction, the battle over the Super Micro hacking allegations is likely to continue. In a statement to the Journal on Monday, a Bloomberg spokesperson wrote that 17 different people “confirmed the manipulation of hardware and other elements of the attacks.... We stand by our story and are confident in our reporting and sources.”

[The Verge]

Trending Stories Right Now