Multiple senior Apple executives, speaking with BuzzFeed News on the condition of anonymity so that they could speak freely, all denied and expressed confusion with a report earlier this week that the company’s servers had been compromised by a Chinese intelligence operation.
On Thursday morning, Bloomberg Businessweek published a bombshell investigation. The report — the result of more than a year of reporting and over 100 interviews with intelligence and company sources — alleged that Chinese spies compromised and infiltrated almost 30 US companies, including Apple and Amazon, by embedding a tiny microchip inside company servers.
“We tried to figure out if there was anything, anything, that transpired that’s even remotely close to this. We found nothing.”
According to Bloomberg’s reporting, an attack of this caliber isn’t just elaborate but “the most significant supply chain attack known to have been carried out against American companies.” The security ramifications for the businesses (and consequently millions of Americans) are likely dizzying.
Reached by BuzzFeed News, multiple Apple sources — three of them very senior executives who work on the security and legal teams — said that they are at a loss as to how to explain the allegations. These people described a massive, granular, and siloed investigation into not just the claims made in the story, but into unrelated incidents that might have inspired them.
“We tried to figure out if there was anything, anything, that transpired that’s even remotely close to this,” a senior Apple security executive told BuzzFeed News. “We found nothing.”
A senior security engineer directly involved in Apple’s internal investigation described it as “endoscopic,” noting they had never seen a chip like the one described in the story, let alone found one. “I don’t know if something like this even exists,” this person said, noting that Apple was not provided with a malicious chip or motherboard to examine. “We were given nothing. No hardware. No chips. No emails.”
Equally puzzling to Apple execs is the assertion that it was party to an FBI investigation — Bloomberg wrote that Apple “reported the incident to the FBI.” A senior Apple legal official told BuzzFeed News the company had not contacted the FBI, nor had it been contacted by the FBI, the CIA, the NSA, or any government agency in regards to the incidents described in the Bloomberg report. This person’s purview and responsibilities are of such a high level that it’s unlikely they would not have been aware of government outreach.
Reached for comment, Apple directed BuzzFeed News to its Thursday blog post.
Apple’s broad, categorical denial is essentially unprecedented in its detail. For example, when the Washington Post revealed the government's PRISM program in 2013, Apple, Google, and Facebook all issued very precise denials noting that none had given government agencies “direct access to our servers.” In this case, however, Apple’s statement leaves little room for interpretation or alternate explanations. Apple not only denies the direct claims about its involvement with the FBI, but goes further to deny that “anything like this” happened. It went on to state that “we are not under any kind of gag order or other confidentiality obligations.”
Bloomberg’s defense of its story is equally forceful. On Friday, the publication stood by its reporting. “Bloomberg Businessweek's investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” a spokesperson told BuzzFeed News in response to a series of questions. “Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”
The result is an unusual stalemate that’s left onlookers baffled.
“We are not restrained in any way.”
The story has clearly rattled Apple, a notoriously private company, and one that has long touted its strong commitment to privacy. Sources say the company’s infosec team is aghast at the allegations. “This did not happen,” a senior Apple security executive told BuzzFeed News. This person insisted, vehemently, that there is no dissembling in the company’s response, that it didn’t secretly remove compromised servers, or discover compromised servers during the acceptance process and stop short of deploying them. “We have literally seen nothing like this.”
"Your iPhone is absolutely not compromised," another senior Apple security engineer told BuzzFeed News. "Nothing is compromised." And, "by the way," this person added, "no servers were removed — not 7,000, not 2,000." Apple, they explained — referencing a 2017 report by The Information — found a lone piece of common malware on a single server in a lab environment. The company determined it was the result of poor system hygiene on the part of server motherboard supplier Super Micro Computer. "We lost confidence in the vendor. We moved on. Plenty of companies do this."
Particularly vexing for Apple, say company sources, is the suggestion it might be lying to the public to protect national security interests. The company has said on record that it is under no gag order, but Congress has on occasion granted retroactive immunity to companies aiding US intelligence efforts. However, a senior Apple legal official who spoke with BuzzFeed News said the company is bound by no confidentiality order or agreement. “We are not restrained in any way,” this executive said. Asked point blank if Apple is lying to the public in the interests of national security, this executive replied, “No.”
For Apple, the investigation into the Bloomberg allegations appears to be over. Multiple sources tell BuzzFeed News that the company believes it’s done everything it can, pulled all the threads, talked to everyone, and examined every corner of its business. It’s reached a what-else-can-we-do impasse.
What happens next isn’t exactly clear. Those with a vested interest — security professionals, government officials, and Amazon and Apple’s millions of customers — are left with questions that are currently unanswerable as Bloomberg and the subjects of its story continue to square off.