In early October, Bloomberg Businessweek published one of the year’s most stunning tech stories. Under the headline “The Big Hack,” reporters Jordan Robertson and Michael Riley reported that China had managed to infiltrate top U.S. companies — including server company Super Micro (or Supermicro) and Apple — with a chilling hardware hack carrying implications for the entire U.S. economy. It came under fire immediately, as government officials and the companies themselves either denied the reporting or claimed no familiarity with it.
In response, Bloomberg issued a statement that read, in part: “Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews.”
The company can now adjust those numbers a bit. According to informed sources, Bloomberg has continued reporting the blockbuster story that it broke on Oct. 4, including a very recent round of inquiries from a Bloomberg News/Bloomberg Businessweek investigative reporter. In emails to employees at Apple, Bloomberg’s Ben Elgin has requested “discreet” input on the alleged hack. “My colleagues’ story from last month (Super Micro) has sparked a lot of pushback,” Elgin wrote on Nov. 19 to one Apple employee. “I’ve been asked to join the research effort here to do more digging on this … and I would value hearing your thoughts (whatever they may be) and guidance, as I get my bearings.”
One person who spoke with Elgin told the Erik Wemple Blog that the Bloomberg reporter made clear that he wasn’t part of the reporting team that produced “The Big Hack.” The goal of this effort, Elgin told the potential source, was to get to “ground truth”; if Elgin heard from 10 or so sources that “The Big Hack” was itself a piece of hackery, he would send that message up his chain of command. The potential source told Elgin that the denials of “The Big Hack” were “100 percent right.”
According to the potential source, Elgin also asked about the possibility that Peter Ziatek, senior director of information security at Apple, had written a report regarding a hardware hack affecting Apple. In an interview with the Erik Wemple Blog, Ziatek says that he’d never written that report, nor is he aware of such a document. Following the publication of Bloomberg’s story, Apple conducted what it calls a “secondary” investigation surrounding its awareness of events along the lines of what was alleged in “The Big Hack.” That investigation included a full pat-down of Ziatek’s own electronic communications. It found nothing to corroborate the claims in the Bloomberg story, according to Ziatek.
The person who spoke with Elgin tells this blog that the Bloomberg reporter is developing his own sources on this particular assignment. Meaning that the investigative reporter may stumble upon terrain already trodden by the reporters of “The Big Hack.” In August, for example, Robertson checked in with Jesse Rosenzweig, CTO of mobile video firm Elemental Technologies, which was acquired by Amazon in 2015:
Hi Jesse, I’m a reporter with Bloomberg Businessweek in Washington DC. I assume you’ve probably heard by now that we’re working on a story that involves Elemental and Supermicro. Specifically, the story is about how AWS discovered — in the course of buying Elemental — that some Supermicro servers used by Elemental had been modified in the supply chain with added malicious chips, which was essentially a targeted attack against U.S. government and other large clients by a nation-state. I have been in extensive contact with Amazon and AWS’s PR teams and I have their official denial of these events, which we plan to publish in our story. However, we have very good sources on this matter and we do plan to publish the piece. (The same discovery that happened to Elemental also happened to multiple other important companies at the same time, and we have extensive information from those as well). As a co-founder and senior executive of Elemental, I assume that you would have been brought into these discussions about Supermicro as they were occurring. As such, it’s my responsibility to reach out and see if you’re willing to talk off-the-record about anything you might know about this. I would not use your name or any other identifying information. I understand the restrictions about talking to a reporter as a current AWS employee, and the fact that the discovery of these added components was not widely shared within either company, so you may not have even been made aware. But considering that AWS’s official stance is that these events never happened, if you do have any information about these events it would be extremely helpful for ensuring accuracy of what we will publish and how Elemental is represented in this major piece. Please think about it.
Rosenzweig responded: “Appreciate the reach out. I have no knowledge of modified Supermicro servers, and as a co-founder of Elemental who has been deeply involved in every aspect of the business, I would have known. This simply did not happen.” Though “The Big Hack” included a denial from Amazon, it didn’t publish the reply of Rosenzweig. (Amazon CEO Jeffrey P. Bezos owns The Post.)
A couple of points here: The recent round of sleuthing by Elgin appears to be good journalism; there’s nothing untoward and everything legitimate about finding sources, asking them for interviews and pursuing the truth. This particular round of truth-seeking, of course, would have been better timed to precede a decision on publication of “The Big Hack.” And the Erik Wemple Blog doesn’t normally find it relevant or newsworthy to document communications between reporters and potential sources as work proceeds on a project.
In this case, however, the circumstances are a bit different. “The Big Hack” was big news, involving hostile foreign actors and brand-name companies here in the United States. Agents working for the Chinese People’s Liberation Army, the story reported, had managed to seed server motherboards made in China by subcontractors for San Jose-based Super Micro Computer with ill-intended microchips. The hack allegedly affected some 30 companies, including Apple and Amazon Web Services, according to the piece. Following a bunch of criticism, Apple CEO Tim Cook called for the story to be retracted, as did an executive with Amazon Web Services.
Not only did industry and government officials denounce the conclusions on the record, but the story itself was short on hard evidence of a supply-chain compromise. It relied on “17 people” who “confirmed the manipulation of Supermicro’s hardware and other elements of the attacks. The sources were granted anonymity because of the sensitive, and in some cases classified, nature of the information,” noted the story. What it lacked were documents, photos, reports — any of the artifacts that would logically go along with such a scary intrusion into the U.S. economy.
Despite such shortcomings, Bloomberg continues to stand by the same stand-by statement it issued weeks ago: “We stand by our story and are confident in our reporting and sources.”
That’s an odd formulation in light of the outlet’s continued efforts to do “more digging” on the story. When pressed about how the company will approach the findings of Elgin & Co., a spokesperson for Bloomberg pointed this blog to previous statements, including this one: “We do not comment on our unpublished newsgathering, editorial processes, or plans for future reporting.”
More reading on this issue: Patrick Kennedy at STH wrote a highly technical though lay-person-accessible debunking of “The Big Hack”; the Wall Street Journal’s Greg Bensinger wrote on the doubts of semiconductor executives on the hack story; BuzzFeed reporters John Paczkowski, Charlie Warzel and Joseph Bernstein have covered the story consistently; also recommended are pieces from Lightbluetouchpaper.org, ZDNet and Business Insider.