An investigation into a potentially devastating cyberespionage campaign allegedly conducted by Chinese state-sponsored threat actors may have compromised systems belonging to Apple, Amazon, a major bank, and US government contractors.
In total, it is believed up to 30 companies may have been affected by the severe compromise of server hardware found in supply chains.
On Thursday, Bloomberg reported that the company at the heart of the matter is Super Micro Computer, also known as Supermicro, which is one of the largest suppliers of server hardware, workstations, storage, and GPU systems worldwide.
According to the publication's investigation, which draws upon interviews with unnamed government and corporate sources, the Chinese People's Liberation Army (PLA) used bullish tactics to force the inclusion of illicit chips on hardware during the manufacturing process of server systems in factories.
These chips could then reportedly be activated to compromise the networks of enterprise companies.
Supermicro's customers include Elemental Technologies, a streaming services startup which was acquired by Amazon in 2015 and provided the foundation for the expansion of the Amazon Prime Video platform.
Read on: Chinese hacking group returns with new tactics for espionage campaign | Hacking campaign combines attacks to target government, finance, and energy | Cyberattacks from China: Less numerous but more effective | Edge computing: the cyber security risks you must consider
A source close to the matter said that Amazon Web Services (AWS) scrutinized the firm ahead of the purchase, which "uncovered troubling issues."
Supermicro reportedly assembled server motherboards for the startup and after forensic examination, it was found that tiny chips embedded in the board were not part of the original design.
This discovery was reportedly forwarded to US authorities as the same servers were being used by the Department of Defense, CIA, and the US military.
The chips were reportedly built to be as inconspicuous as possible and to mimic signal conditioning couplers. It was determined during an investigation, which took three years, that the chip "allowed the attackers to create a stealth doorway into any network that included the altered machines," Bloomberg reports.
Consumer data is not believed to have been involved in the security incident.
Elemental's services, made possible through the manufacturing deal with Supermicro, appears to have been an ideal target for Chinese state-sponsored attackers to conduct covert surveillance.
Apple was one of the victims of the apparent breach, according to Bloomberg. Once a loyal customer of Supermicro, the publication says that the iPad and iPhone maker found the malicious chips in 2015, cutting ties with the company in 2016.
Amazon and Apple have both strongly denied the results of the investigation.
Amazon says that the audit problems were related to web application issues and vulnerabilities, which have been resolved.
"It's untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental," the company added. "It's also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware."
Apple, in turn, said that internal investigations have been conducted based on Bloomberg queries, and "we have found absolutely no evidence to support any of them."
Apple added that it had repeatedly provided on the record facts to refute "virtually every aspect of Bloomberg's story relating to Apple."
"On this, we can be very clear: Apple has never found malicious chips, "hardware manipulations" or vulnerabilities purposely planted in any server," the tech giant says. "Apple never had any contact with the FBI or any other agency about such an incident."
Beyond an infected driver discovered in 2016 on a single Supermicro server found in Apple Labs, Apple says that such claims are "inaccurate." It was this incident which may have led to the severed business relationship back in 2016, rather than the discovery of malicious chips or a widespread supply chain attack.
Supermicro says that "we are not aware of any investigation regarding this topic nor have we been contacted by any government agency in this regard."
TechRepublic: Why TENS is the secure bootable Linux you need
However, Bloomberg says the denials are in direct contrast to the testimony of six current and former national security officials, as well as confirmation by 17 anonymous sources which said the nature of the Supermicro compromise was accurate.
China's Ministry of Foreign Affairs said the country is a "resolute defender of cybersecurity," and while "supply chain safety in cyberspace is an issue of common concern [...] China is also a victim."
Bloomberg's investigation has not been confirmed on the record. The FBI declined to comment for the story.
The full story can be accessed via Bloomberg News.
Update 15.02 BST: At the time of writing, five hours after Bloomberg's investigation was released, Supermicro's share price is down 30.42 percent to $14.89. At 18.13 BST, stocks have now plummeted by 48.46 percent to $11.03.
Update 17.48 BST: In a blog post, AWS Steve Schmidt, Chief Information Security Officer labeled the report "absurd," and "there are so many inaccuracies in this article as it relates to Amazon that they're hard to count."
"When Amazon was considering acquiring Elemental, we did a lot of due diligence with our own security team, and also commissioned a single external security company to do a security assessment for us as well. That report did not identify any issues with modified chips or hardware. [...]
The article also claims that after learning of hardware modifications and malicious chips in Elemental servers, we conducted a network-wide audit of SuperMicro motherboards and discovered the malicious chips in a Beijing data center. This claim is similarly untrue.
The first and most obvious reason is that we never found modified hardware or malicious chips in Elemental servers. Aside from that, we never found modified hardware or malicious chips in servers in any of our data centers. [...]
Amazon employs stringent security standards across our supply chain -- investigating all hardware and software prior to going into production and performing regular security audits internally and with our supply chain partners. We further strengthen our security posture by implementing our own hardware designs for critical components such as processors, servers, storage systems, and networking equipment."