Story image

Chinese espionage: Sweating Apple insists breach allegations are ‘not true’

09 Oct 2018

Bloomberg’s report suggesting Chinese espionage within some of America’s largest tech companies exploded onto the headlines last week, and the aftershocks will undoubtedly continue for some time yet.

Some of the biggest companies in the world were implicated in the potentially crippling report that claimed Supermicro chips had been infected by Chinese spies and installed within the inner sanctums of massive global companies like Amazon and Apple.

In the wake of these findings, Supermicro’s stocks collapsed more than 50 percent, although they have begun crawling back a few points as the dust settles.

Supermicro, Amazon, and Apple all vehemently opposed the report from Bloomberg and asserted it to be quite simply, false. Bloomberg has stood by its report, which apparently is based off more than a year of investigation and 100 interviews, with input from multiple former and current Apple and Amazon employees, in addition to current and former US national security officials.

Now Apple has followed up with a public letter to US Congress, signed off by Apple Information Security vice president George Stathakopoulos – and he wasted no time in rubbishing Bloomberg’s claims.

“You should know that Bloomberg provided us with no evidence to substantiate their claims and our internal investigations concluded their claims were simply wrong,” says Stathakopoulos.

“We are eager to share the facts in this matter because, were this story true, it would rightly raise grave concerns. A compromise of this magnitude, and the effective deployment of malicious chips like the one described by Bloomberg, would represent a serious threat to the security of systems at Apple and elsewhere.”

Stathakopoulos says ever since Apple was first contacted by Bloomberg’s reports in October last year, the company has been working ‘diligently’ to sort out the allegations, constantly in communication with Bloomberg and answering all of their questions.

“We methodically dispelled the often-shifting nature of their claims. While we repeatedly asked them to share specific details about the alleged malicious chips that they seemed certain existed, they were unwilling or unable to provide anything more than vague secondhand accounts,” says Stathakopoulos.

“We were struck by the fact that the gravity and magnitude of the claims seemed to be undermined by their uncertainty around key details. Nevertheless, we worked tirelessly to ascertain whether these claims were true or, failing that, if anything even like them were true.”

Stathakopoulos says that in the end, Apple’s own investigations contradict every single consequential conclusion made in the article.

“Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation,” says Stathakopoulos.

“Our frustration is animated by the fact that we share your rightful focus on cybersecurity and the integrity of the global supply chain. We understand that, though this story only relates to our enterprise hardware, Americans are justly concerned about how supply chain security affects the consumer products they use every day.”

Stathakopoulos then goes on to stress all the procedures the company takes to prevent situations like what Bloomberg has implied. This includes working with multiple vendors that all undergo a rigorous review process, multiple layers of security, an experienced security team, and ongoing vulnerability scans, patching, and security reviews.

Furthermore, in Bloomberg’s implied scenario the compromised servers were allegedly making outbound connections. Stathakopoulos says this simply wouldn’t be possible as the company’s proprietary security tools are scanning continuously for this exact kind of traffic as it indicates the presence of malware or other malicious activity.

“Today, individuals, communities, and nations depend on the security and integrity of our shared technological infrastructure,” says Stathakopoulos.

“We at Apple hold this responsibility sacrosanct, and we will continue to dedicate intense focus on keeping ahead of the hackers, cybercriminals, and even nation states that hope to steal data and harm user faith in the potential of technology to build a better world.”

To add weight to Apple’s claims, over the weekend the US Department of Home Security joined the UK’s National Cyber Security Centre, with the duo claiming they had no reason to doubt the statements from the companies named in the report.

Despite this comprehensive letter to Congress and the government assertions, Bloomberg is standing by its reporting. In the original release the report underlined:

"The companies’ denials are countered by six current and former senior national security officials, who—in conversations that began during the Obama administration and continued under the Trump administration—detailed the discovery of the chips and the government’s investigation. One of those officials and two people inside AWS provided extensive information on how the attack played out at Elemental and Amazon; the official and one of the insiders also described Amazon’s cooperation with the government investigation. In addition to the three Apple insiders, four of the six US officials confirmed that Apple was a victim. In all, 17 people confirmed the manipulation of Supermicro’s hardware and other elements of the attacks."

So the question is, who do you believe? We’ll keep you updated, as with all the big trees being shaken there is bound to be something else to drop.

Bluzelle launches data delivery network to futureproof the edge
“Currently applications are limited to data caching technologies that require complex configuration and management of 10+ year old technology constrained to a few data centers."
DDN completes Nexenta acquisition
DDN holds a suite of products, solutions, and services that aim to enable AI and multi-cloud.
Trend Micro introduces cloud and container workload security offering
Container security capabilities added to Trend Micro Deep Security have elevated protection across the DevOps lifecycle and runtime stack.
Veeam joins the ranks of $1bil-revenue software companies
It’s also marked a milestone of 350,000 customers and outlined how it will begin the next stage of its growth.
Veeam enables secondary storage solutions with technology partner program
Veeam has worked with its strategic technology alliance partners to provide flexible deployment options for customers that have continually led to tighter levels of integration.
Veeam Availability Orchestrator update aims to democratise DR
The ability to automatically test, document and reliably recover entire sites, as well as individual workloads from backups in a completely orchestrated way lowers the total cost of ownership (TCO) of DR.
Why flash should be considered the storage king
Not only is flash storage being used for recovery, it has found a role in R&D environments and in the cloud with big players including AWS, Azure and Google opting for block flash storage options.
NVIDIA's data center business slumps 10% in one year
The company recently released its Q1 financial results for fiscal 2020, which puts the company’s revenue at US$2.22 billion – a slight raise from $2.21 billion in the previous quarter.