The Bloomberg report says a Chinese subcontractor added the chip to the motherboards used in servers supporting major companies and government agencies, including the CIA. The article says the chip could allow the Chinese government to steal data and conduct surveillance.
Bloomberg cites sources who say the problem emerged as early as 2015 when it was confirmed by independent security investigators working for cloud providers. The news agency says the circuit boards, manufactured in China, are widely used in servers produced by Super Micro, a U.S.-based company.
Apple denied the report in unusually strong language, saying it is "deeply disappointed" that the Bloomberg team working on the story did not appear to consider the possibility their sources were wrong.
"Our best guess is that they are confusing their story with a previously reported 2016 incident in which we discovered an infected driver on a single Super Micro server in one of our labs," the company said in a statement. "That one-time event was determined to be accidental and not a targeted attack against Apple."
Amazon was also adamant in its denial. In a statement to Bloomberg, contained in the story, the company said that it had “found no evidence to support claims of malicious chips or hardware modifications."
Not a simple attack
According to Bloomberg, China manufactures 75 percent of the world's mobile phones and 90 percent of its computers. But the news agency concedes the extreme difficulty China would face in carrying out this kind of attack.
It would mean "developing a deep understanding of a product’s design, manipulating components at the factory, and ensuring that the doctored devices made it through the global logistics chain to the desired location," the authors write.
A hacker interviewed by Bloomberg for the story equated that feat to "witnessing a unicorn jumping over a rainbow."
Yet Bloomberg maintains it happened. It says the chips, no larger than a grain of rice, were inserted during the manufacturing process by Chinese government operatives who targeted a major U.S. server company. In the article, U.S. officials describe it as "the most significant supply chain attack known to be carried out against U.S. companies."