No one is really sure who to believe after Businessweek's bombshell story on an alleged Chinese supply chain attack against Apple, Amazon, and others.
On Tuesday, Bloomberg doubled down on its bombshell report from last week, which alleged China had surreptitiously implanted tiny chips into the motherboards of servers to spy on US companies such as Apple and Amazon. If true, this would be one of the worst hacks in history.
In its new story, Bloomberg reports that a US telecom discovered and removed “manipulated hardware” in its servers. The article does not name the telecom and the key claims are all attributed to one source, Yossi Appleboum, co-CEO of security consultant Sepio Systems. Bloomberg reports Appleboum provided “documents, analysis, and other evidence,” but does not publish those or provide more information about what types of documents or evidence it has.
It is not clear in the article that Bloomberg knows which telecom is apparently affected; it notes that Appleboum is covered by an non-disclosure agreement. Motherboard has reached out to 10 major US telecom providers, and the four biggest telecoms in the US have denied to Motherboard that they were attacked: In an email, T-Mobile denied being the one mentioned in the Bloomberg story. Sprint said in an email that the company does not use SuperMicro equipment, and an AT&T spokesperson said in an email that "these devices are not a part of our network, and we are not affected." A Verizon spokesperson said: "Verizon's network is not affected.”
A CenturyLink spokesperson also denied that the company is the subject of Bloomberg's new story. A Cox Communications spokesperson said in an email: "The telecom company referenced in the story is NOT us." Comcast also said it's not the company in the Bloomberg story.
On Monday, Apple also doubled down, with a new strong denial sent to multiple Congressional committees. The company sent a letter refuting the first story, published in Bloomberg's Businessweek, which said China had planted hardware backdoors onto motherboards made by a company called SuperMicro used by multiple US companies, including Apple and Amazon.
The letter is the strongest signal yet from a growing array of government agencies, companies, and technical experts who are calling the Bloomberg story into doubt. (The new story does not directly address these denials.)
If you know anything about this story, please send us a tip. To contact Jason Koebler on Signal: +1 347 513 3688. To contact Joseph Cox on Signal: +44 20 8133 5190. To contact Lorenzo Franceschi-Bicchierai on Signal: +1 917 257 1382
“You should know that Bloomberg provided us with no evidence to substantiate their claims and our internal investigations concluded their claims were simply wrong,” the letter, signed by George Stathakopoulos, vice president of information security at Apple, reads.
“Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposefully planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation,” the letter continues.
Bloomberg's blockbuster piece published last week promised to be our worst fears about supply chain attacks realized. The article claimed the Chinese government had managed to plant tiny, extra chips onto the motherboards of SuperMicro, a computer parts supplier that produces server parts for Apple, Amazon, and many others. Those chips could have given Chinese hackers privileged access to those companies’ systems, the piece said.
“Hardware is a nightmare. We can barely validate software, and all our assumptions rely on the hardware working correctly. Pull away that assumption, it’s like removing the screws from a piece of IKEA furniture,” Matthew Green, associate professor at Johns Hopkins University, previously told Motherboard in an online chat. The article itself was based mostly on anonymous sources, both inside impacted companies and those who had been briefed on the incident.
The fallout, or rather backlash, against the Businessweek piece has been dramatic.
First, Apple, Amazon, and SuperMicro all issued largely unambiguous statements pushing against the story; it is a relatively unusual move to have such robust, refuting statements that provide little wiggle room for a story’s claims to hold up. Next, the UK’s National Cyber Security Centre (NCSC), the defensive arm of the country’s signals intelligence agency GCHQ, issued its own statement saying it had no reason to doubt Apple’s and Amazon’s denials. The US Department of Homeland Security (DHS) swiftly followed up, saying much the same thing. Apple’s recently retired general counsel even called his FBI equivalent last year after being told by Bloomberg of an investigation into SuperMicro: “Nobody here knows what this story is about,” James Baker, the FBI’s then-general counsel, said, according to a report from Reuters.
In a statement to Motherboard sent on Monday, a Bloomberg spokesperson reiterated that it stands by the story, “and are confident in our reporting and sources.” (Bloomberg did not immediately respond to a request for comment Tuesday after the new story was published. One of the co-authors did not respond to a Twitter direct message. )
No comments:
Post a Comment