Hacking

Another stakeholder has come forward to discount Bloomberg Businessweek’s Chinese hacking story. In a rare Saturday press release, the U.S. Department of Homeland Security (DHS) says it has no reason to doubt the statements made by companies like Apple and Amazon about the story. Where this goes from here is anyone’s guess.

As we noted soon after it occurred, on Oct. 4, Bloomberg published a story about how Chinese hackers infiltrated the technology supply chain for up to 30 companies by placing tiny microchips on server motherboards produced by Supermicro. The devices, as small as the tip of a pencil, were designed to change the machine’s operating system to accept code modifications, no doubt by people in China.

For its reporting, Bloomberg relied on interviews with unnamed government and corporate sources. These contacts said the Chinese spy ring was discovered by the U.S. government and the companies affected years ago. Further, Bloomberg found no direct evidence that company or user data was stolen.

Unfortunately for Bloomberg, no one is publicly backing its story.

Soon after Bloomberg published, Apple came out and called it incorrect. In a terse statement, Apple noted Bloomberg had contacted the company “multiple times with claims, sometimes vague and sometimes elaborate, of an alleged security incident.” Each time, the company completed “rigorous internal investigations based on their inquiries, ” and “found absolutely no evidence to support any of them.”

Additionally, Apple claimed it had “repeatedly and consistently offered factual responses, on the record, refuting virtually every aspect of Bloomberg’s story relating to Apple.”

For its part, Amazon said it was also unaware of any “supply chain compromise, an issue with malicious chips, or hardware modifications.”

Supermicro, one of the world’s largest motherboard providers, was equally frank, noting, “We are not aware of any investigation regarding this topic.”

Saturday’s statement from DHS reads:

The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story. Information and communications technology supply chain security is core to DHS’s cybersecurity mission and we are committed to the security and integrity of the technology on which Americans and others around the world increasingly rely. Just this month – National Cybersecurity Awareness Month – we launched several government-industry initiatives to develop near- and long-term solutions to manage risk posed by the complex challenges of increasingly global supply chains. These initiatives will build on existing partnerships with a wide range of technology companies to strengthen our nation’s collective cybersecurity and risk management efforts.

This is a weird story and one that gets even stranger by the day. As more groups come forward to discount Bloomberg’s words, the more I’m inclined to believe that perhaps something did happen that would reflect poorly on not just Apple but on the U.S. government too.

We’ll continue to follow this story. In the meantime, what do you think? Let us know your thoughts in the comments below.