Apple and Amazon.com have denied a media report that their systems had been infiltrated by malicious computer chips inserted by Chinese intelligence, according to statements from the companies released by Bloomberg.
Bloomberg Businessweek cited 17 unidentified intelligence and company sources as saying that Chinese spies had placed computer chips inside equipment used by about 30 companies and multiple U.S. government agencies, which would give Beijing secret access to internal networks.
Representatives of Apple, the FBI and Department of Homeland Security could not be reached for comment by Reuters, while a National Security Agency spokeswoman said she had no immediate comment.
China's Ministry of Foreign Affairs did not respond to a written request for comment. Beijing has previously denied allegations of orchestrating cyber attacks against Western companies.
Apple said it had refuted "virtually every aspect" of the story in on-record responses to Bloomberg. "Apple has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server," the company said. Amazon Web Services (AWS) said it found no issues.
Bloomberg said its report was accurate.
"Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks," Bloomberg said in a statement. "We stand by our story and are confident in our reporting and sources."
The story reported that malicious chips were planted by a unit of the Chinese People's Liberation Army, which infiltrated the supply chain of computer hardware maker Super Micro Computer.
The operation is thought to have been targeting valuable commercial secrets and government networks, the news agency said.
In a blog post on the Bloomberg report, Amazon Web Services said: "At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in Super Micro motherboards in any Elemental or Amazon systems. Additionally, we have not engaged in an investigation with the government."
Super Micro Computer shares fell 38 per cent to US$13.26 in Pink Sheet trading. They had fallen as low as US$8.50 earlier in the session.
San Jose, California-based Super Micro said it strongly denies reports that servers it sold to customers contained malicious microchips in the motherboards of those systems.
It said it has never found any malicious chips, has not been informed by any customer that such chips have been found, and has never been contacted by any government agencies on the matter.
Bloomberg reported that AWS uncovered the malicious chips in 2015 when examining servers manufactured by a company known as Elemental Technologies, which AWS eventually acquired.
The investigation found that Elemental servers, which were assembled by Super Micro, were tainted with tiny microchips that were not part of their design, Bloomberg said.
Amazon reported the matter to U.S. authorities, who determined that the chips allowed attackers to create "a stealth doorway" into networks using those servers, the story said.
AWS told Bloomberg it had re-reviewed its records related to the Elemental acquisition and "found no evidence to support claims of malicious chips or hardware modifications."
Bloomberg also reported that Apple in 2015 found malicious chips in servers it purchased from the hardware maker, then stopped doing business with Super Micro in 2016 for reasons that were not related, citing three unidentified company insiders.
Apple denied the account, saying it had investigated the claims.
"On this, we can be very clear: Apple has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server," Apple told Bloomberg.
The report coincides with the increasing concerns of authorities in the United States about foreign intelligence agencies infiltrating U.S. government agencies and private companies via so-called "supply chain attacks," particularly from China where many global tech firms outsource their manufacturing.
The U.S. government on Wednesday warned that a hacking group widely known as cloudhopper, which Western cyber security firms have linked to the Chinese government, has launched attacks on technology service providers in a campaign to steal data from their clients.
Two prominent U.S. cyber security companies warned this week that Chinese hacking activity has surged amid a trade war between Washington and Beijing.
(Reporting by Jack Stubbs in London; Sweta Singh in Bangalore; Christopher Bing in Washington; Kenneth Li in New York, Adam Jourdan in Beijing; writing by Jim Finkle; editing by Nick Zieminski and Grant McCool)
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.