When Bloomberg Businessweek published an extraordinary story in early October about a China hardware hack, it surely expected to change the tech conversation for months to come. The headline: “The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies.”
The impact has indeed materialized, though perhaps not the way that Bloomberg had planned. Instead of prompting, say, a new diplomatic initiative to deal with China over the hack, or an initiative by tech companies to protect themselves against foreign intrusions, or demands from consumers for reforms, the story has sustained beating after beating. Industry officials have come forward with increasingly vehement denials, while government officials have said on the record that they know nothing of the claims. Tim Cook, the chief executive of Apple — which was allegedly affected by the hack — demanded a retraction.
And on Tuesday, another blow: Supermicro, a San Jose-based maker of servers alleged to have been compromised in the Bloomberg story, announced the results of an audit covering issues raised in the story. “Recent reports in the media wrongly alleged that bad actors had inserted a malicious chip or other hardware on our products during our manufacturing process,” noted the company’s release, which later asserted: “After a thorough examination and a range of functional tests, the investigations firm found absolutely no evidence of malicious hardware on our motherboards.” According to Reuters, the auditing firm is Nardello & Co.
“The Big Hack” claimed that operatives with the Chinese People’s Liberation Army had managed to compromise Supermicro server motherboards by infiltrating subcontractors in China. This supply-chain attack, reported Bloomberg Businessweek, eventually compromised servers at Apple and at a company acquired by Amazon, not to mention dozens of other companies not identified in the story. (Amazon’s founder and chief executive, Jeffrey P. Bezos, also owns The Post.) Those allegations met with heated responses from the companies, which claimed they’d never seen any evidence to support the reporting. Nor did the story provide any physical evidence in the form of documents, chips or emails.
The stakes were towering, as Bloomberg Businessweek noted: “This attack was something graver than the software-based incidents the world has grown accustomed to seeing. Hardware hacks are more difficult to pull off and potentially more devastating, promising the kind of long-term, stealth access that spy agencies are willing to invest millions of dollars and many years to get.”
All the denials have clearly unsettled the editorial brain trust at Bloomberg Businessweek. As this blog reported, the company dispatched reporters to continue working on the story even after it was published — an effort that was ongoing as of mid-November. “My colleagues’ story from last month (Super Micro) has sparked a lot of pushback,” wrote Bloomberg reporter Ben Elgin on Nov. 19 to an Apple employee. “I’ve been asked to join the research effort here to do more digging on this . . . and I would value hearing your thoughts (whatever they may be) and guidance, as I get my bearings.”
These reporters are doing their work from an island: More than two months after Bloomberg Businessweek’s story hit the Internet, its rivals — including the Wall Street Journal, The Post, the New York Times and a crop of ace tech sites — have failed at their attempts to follow up. According to informed sources, for example, several reporters at the New York Times tilted at the story; they failed to replicate the Bloomberg findings.
Meaning: If members of the recent Bloomberg “research effort” manage to stand up the original Oct. 4 report, they will have participated in one of the greatest journalistic comebacks ever recorded. And a whole bunch of tech executives will have a lot to answer for.
A Bloomberg spokesperson declined to comment on either the company’s reporting or on the Supermicro statement.