The Department of Homeland Security said it “is aware of the media reports of a technology supply chain compromise” and “like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story.”
Apple, Amazon, and Supermicro all denied a Bloomberg Businessweek report stating that Chinese intelligence had infiltrated servers and affected more than two dozen companies by planting microchips in Supermicro servers.
“The chips had been inserted during the manufacturing process, two officials say, by operatives from a unit of the People’s Liberation Army. In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies,” Bloomberg reported. “One official says investigators found that it eventually affected almost 30 companies, including a major bank, government contractors, and the world’s most valuable company, Apple Inc. Apple was an important Supermicro customer and had planned to order more than 30,000 of its servers in two years for a new global network of data centers. Three senior insiders at Apple say that in the summer of 2015, it, too, found malicious chips on Supermicro motherboards. Apple severed ties with Supermicro the following year, for what it described as unrelated reasons.”
Apple said that the company “has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”
The FBI and the Office of the Director of National Intelligence declined to comment. Bloomberg stands by its reporting.
In backing the denials of Apple, Amazon, and Supermicro, the DHS statement added that “information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely.”
“Just this month – National Cybersecurity Awareness Month – we launched several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains,” the statement continued. “These initiatives will build on existing partnerships with a wide range of technology companies to strengthen our nation’s collective cybersecurity and risk management efforts.”