Apple and Amazon are among US companies and agencies who have had data stolen by Chinese spies, claims Bloomberg.
The data had been siphoned off via tiny chips inserted on server circuit boards made by a company called Super Micro Computer, reported the news agency.
The servers had been compromised during manufacturing and the chips activated once they were up and running, it said.
Apple, Amazon and Super Micro have rejected Bloomberg’s claims, calling them “untrue”.
In particular, Apple released a strong statement in response to Bloomberg’s article saying it had found “no evidence” to support the allegations.
Bloomberg said a year-long investigation by reporters Jordan Robertson and Michael Riley had uncovered evidence of the wide-ranging attack, which gave Beijing access to 30 large companies and many federal agencies.
- US warns of supply chain cyber-attacks
- Pentagon warns on compromised code
- Trump relaxes rules around cyber-attacks
It said the first information about the spying campaign had emerged during security testing carried out by Amazon in 2015 before it had started using servers from US company Elemental, which had been manufactured by Super Micro Computer at plants in China.
And this discovery then kicked off a long-running “top-secret probe” by US intelligence agencies, which found compromised servers:
- in Department of Defense data centres
- onboard warships
- handling data gathered by CIA drones
China was well placed to carry out this kind of attack, said Bloomberg, because 90% of the world’s PCs are made in the country.
Carrying out the attack involved “developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location”, it said.
Many US companies, including Apple, Amazon and major banks, were also using Super Micro Computer hardware.
Bloomberg claims the probe led to some companies removing servers made by Super Micro and ending business relationships with the company.
Amazon and Apple both denied there was any substance to Bloomberg’s claims.
In its lengthy statement, Amazon said: “We’ve found no evidence to support claims of malicious chips or hardware modifications.”
Apple took Bloomberg to task, saying the agency had contacted it “multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident”.
“Each time, we have conducted rigorous internal investigations based on their inquiries and each time we have found absolutely no evidence to support any of them.”
It added: “We have repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.”
Super Micro Computer said it was “not aware” of any government investigation into the issue and no customer had stopped using its products because of fears about Chinese hackers.
China’s Ministry of Foreign Affairs called the story a “gratuitous accusation” and said the safety of supply chains was an “issue of common concern”.
Bloomberg said the denials were countered by testimony from “six current and former national security officials” as well as insiders at both Apple and Amazon who had detailed the investigation and its aftermath.