The article -- which the companies vigorously denied -- detailed a sweeping years-long effort to install the surveillance chips in servers whose motherboards — the brains of the powerful computers — were assembled in China. One affected company had its servers used by U.S. government clients, including Department of Defense data centers, Navy warships and the CIA in its drone operations.
The extent of the data China collected from the surveillance chips was not clear from the report, and no consumer information was known to have been stolen, according to Bloomberg Businessweek. But it said a top-secret U.S. government investigation, dating from 2015 and involving the FBI, remains open.
The article cited 17 unnamed sources, including industry insiders and current and former U.S. officials. The Chinese government, Apple, Amazon and other involved companies disputed the report to Bloomberg Businessweek, and the FBI and U.S. intelligence officials declined to comment.
Several U.S. officials contacted by The Washington Post said they were uncertain about the accuracy of the Bloomberg Businessweek report. One U.S. official who said Thursday morning that the thrust of the article was true later expressed uncertainty about that conclusion. This person spoke on the condition of anonymity to discuss matters not approved for public release.
Amazon called the story “untrue” in a statement. Apple said in a statement that “we have found absolutely no evidence to support any of” the allegations by Bloomberg Businessweek.
The report came just hours before Vice President Pence was to deliver a stinging rebuke of China in a speech at the Hudson Institute in Washington. Pence was expected to issue a range of criticisms at what the Trump administrations sees as China’s increasingly aggressive behavior, including allegations by President Trump last week that the country is interfering in the U.S. midterm elections.
The United States and China are locked in a bitter and escalating trade war, in which hundreds of billions of U.S. and Chinese products are under tariff.
The reported manipulation of electronics supply chains to U.S. companies are certain to sharpen long-standing questions about the crucial but uneasy relationship between the world’s two leading economies. American companies design and sell leading technology products, such as servers, laptop computers and smartphones, but they are built and assembled largely in China.
“This report provides more evidence that China’s pattern of behavior is a serious threat to national security and supply chain risk management," said said Sen. Mark Warner (Va.), the top Democrat on the Senate Intelligence Committee. “These realities have fundamentally changed the risks for U.S. business – even for companies that have worked in China or with Chinese companies for years.”
U.S. officials long have worried about the potential for altered microchips or other components to be secretly inserted into products and shipped to the United States and elsewhere, opening doors to long-term spying on computer users and their information networks.
Surveillance through altered hardware is more difficult to execute than more familiar hacks to software, but the results can be harder to remedy because the components must be detected and physically removed, or use of the hardware must be discontinued. The surveillance microchips reportedly could have connected to outside computers and secretly downloaded software to bypass security protections, such as passwords or encryption keys, stored elsewhere on the affected servers, enabling remote computerized spying.
The operation, which Bloomberg Businessweek attributed to a Chinese military unit that specializes in hacking hardware, worked by inserting a tiny, innocuous-looking microchip onto motherboards in servers produced by Supermicro, a leading supplier of such equipment, based in San Jose. The company is American, but the motherboards were assembled mainly in China.
Both Apple and Amazon discovered the surveillance chips in 2015 and took steps to replace the affected servers, according to the report, which described close cooperation between U.S. investigators and affected companies. The report said that dozens of companies may have used sabotaged servers in their data centers before the Chinese operation was detected.
Apple on Thursday morning said, “Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”
Amazon, which in 2015 acquired a company, Elemental, whose servers reportedly were affected by the Chinese operation, said in a statement Thursday, “At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government. There are so many inaccuracies in this article as it relates to Amazon that they’re hard to count.”
(The Washington Post is owned by Amazon chief executive Jeffrey P. Bezos.)
Supermicro, which did not reply to requests for comment from The Post, said in its statement to Bloomberg Businessweek, “We are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard.”
Tony Romm contributed to this story.