Apple Sends Letter To Congress Denying China Hack

Apple has taken its dispute with a Bloomberg report on Chinese server hacking efforts to Congress, while the company has also received backing from the U.S. Department of Homeland Security.

Cupertino, Calif.-based Apple has issued a series of strong denials following last week's Bloomberg Businessweek story that claimed infiltration of servers, used by the likes of Amazon Web Services and Apple, by Chinese spies.

[Related: Apple Responds To China Hack Story, Again: 'No One At Apple Has Ever Heard Of This Investigation']

Now, Apple has sent a letter to the House and Senate commerce committees indicating that its internal investigations have not corroborated the Bloomberg piece, according to Reuters.

The Bloomberg Businessweek report contends that server motherboards made by San Jose, Calif.-based Supermicro, which were eventually used by companies including Apple and AWS, were compromised with malicious hardware during manufacturing.

The servers were implanted with tiny microchips that were intended to transmit sensitive data to China, according to Bloomberg.

In the letter to Congress, George Stathakopoulos, vice president of corporate information security at Apple, reportedly said that the company has neither found the chips nor received inquiries from the FBI, as claimed in the Bloomberg article.

"Apple's proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity," Stathakopoulos wrote in the letter, according to Reuters. "Nothing was ever found."

Stathakopoulos said that Apple is offering to brief Congressional staff members as soon as this week.

The FBI has declined to comment on the Bloomberg story, including in an email to CRN. But the U.S. Department of Homeland Security has released a statement showing support for the rebuttals issued by Apple and AWS.

"The Department of Homeland Security is aware of the media reports of a technology supply chain compromise. Like our partners in the UK, the National Cyber Security Centre, at this time we have no reason to doubt the statements from the companies named in the story," the Department of Homeland Security said in the statement.

The United Kingdom's National Cyber Security Centre last week said it had "no reason to doubt the detailed assessments made by AWS and Apple." Supermicro has also disputed the Bloomberg report in its own statements.

In a lengthy statement posted on Apple's website last week, the company has said "there is no truth to these claims" reported by Bloomberg.

"On this we can be very clear: Apple has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server," the company said. "Apple never had any contact with the FBI or any other agency about such an incident."

Apple has also addressed speculation that the company might be prevented from commenting on the issue. Apple is "not under any kind of gag order or other confidentiality obligations," the company said in its statement.

The full text of the letter is below and is signed by Stathakopoulos:

In light of your important leadership roles in Congress, we want to assure you that a recent report in Bloomberg Businessweek alleging the compromise of our servers is not true. You should know that Bloomberg provided us with no evidence to substantiate their claims and our internal investigations concluded their claims were simply wrong. We are eager to share the facts in this matter because, were this story true, it would rightly raise grave concerns. A compromise of this magnitude, and the effective deployment of malicious chips like the one described by Bloomberg, would represent a serious threat to the security of systems at Apple and elsewhere. That’s why, ever since we were first contacted by Bloomberg’s reporters in October 2017, we have worked diligently to get to the bottom of their allegations. While the story was being reported, we spoke with Bloomberg’s reporters and editors and answered any and all of their questions. We methodically dispelled the often-shifting nature of their claims. While we repeatedly asked them to share specific details about the alleged malicious chips that they seemed certain existed, they were unwilling or unable to provide anything more than vague secondhand accounts.

We were struck by the fact that the gravity and magnitude of the claims seemed to be undermined by their uncertainty around key details. Nevertheless, we worked tirelessly to ascertain whether these claims were true or, failing that, if anything even like them were true.

In the end, our internal investigations directly contradict every consequential assertion made in the article—some of which, we note, were based on a single anonymous source.

Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation.

On Saturday night, the U.S. Department of Homeland Security joined the U.K.’s National Cyber Security Centre in saying they have no reason to doubt the statements we’ve made.

Our frustration is animated by the fact that we share your rightful focus on cybersecurity and the integrity of the global supply chain. We understand that, though this story only relates to our enterprise hardware, Americans are justly concerned about how supply chain security affects the consumer products they use every day. Concern for supply chain security is absolutely central to the way we run our business.

If any of the reported details cited above were true, we would have every interest— economic, regulatory, and ethical—to be forthcoming about it. We hold ourselves to the highest standard in the products we create and the data we safeguard, and to help address any concerns you may have, I would like to offer a brief summary of the supply chain protocols we follow to protect ourselves and our customers.

With respect to the information systems we use, we purposely work with multiple vendors, and our infrastructure is very diverse, protected by multiple layers of security. We deploy both commercially available and Apple proprietary security tools, led by an experienced security team that is familiar with diverse threats, simple and sophisticated. We apply rigorous and ongoing diligence to vendors. Before we begin a relationship, vendors are submitted to a review process which can incorporate, depending on the criticality of the services offered, a layers-deep study of the security infrastructure of the vendor in question. The hardware incorporated into our environment is also placed in the scope of Apple’s Vulnerability Management Program which makes these products subject to ongoing vulnerability scans, patching, and security reviews.

In the situation Bloomberg describes, the so-called compromised servers were allegedly making outbound connections. Apple’s proprietary security tools are continuously scanning for precisely this kind of outbound traffic, as it indicates the existence of malware or other malicious activity. Nothing was ever found.

I understand that these topics are of particular interest to your committees. I will be available to brief your staff this week to further address the information we’ve offered here.

Today, individuals, communities, and nations depend on the security and integrity of our shared technological infrastructure. We at Apple hold this responsibility sacrosanct, and we will continue to dedicate intense focus on keeping ahead of the hackers, cybercriminals, and even nation states that hope to steal data and harm user faith in the potential of technology to build a better world.