Apple CEO Tim Cook, in an interview with BuzzFeed News, went on the record for the first time to deny allegations that his company was the victim of a hardware-based attack carried out by the Chinese government. And, in an unprecedented move for the company, he called for a retraction of the story that made this claim.
Earlier this month Bloomberg Businessweek published an investigation alleging Chinese spies had compromised some 30 US companies by implanting malicious chips into Silicon Valley–bound servers during their manufacture in China. The chips, Bloomberg reported, allowed the attackers to create “a stealth doorway” into any network running on a server in which they were embedded. Apple was alleged to be among the companies attacked, and a focal point of the story. According to Bloomberg, the company discovered some sabotaged hardware in 2015, promptly cut ties with the vendor, Supermicro, that supplied it, and reported the incident to the FBI.
Apple, however, has maintained that none of this is true — in a comment to Bloomberg, in a vociferous and detailed company statement, and in a letter to Congress signed by Apple’s vice president of information security, George Stathakopoulos. Meanwhile, Bloomberg has stood steadfastly by its story and even published a follow-up account that furthered the original’s claims.
The result has been an impasse between some of the world’s most powerful corporations and a highly respected news organization, even in the face of questions from Congress. On Thursday evening, an indignant Cook further ratcheted up the tension in response to an inquiry from BuzzFeed News.
“There is no truth in their story about Apple,” Cook told BuzzFeed News in a phone interview. “They need to do that right thing and retract it.”
This is an extraordinary statement from Cook and Apple. The company has never previously publicly (though it may have done so privately) called for the retraction of a news story — even in cases where the stories have had major errors or were demonstratively false, such as a This American Life episode that was shown to be fabricated.
Reached for comment, Bloomberg reiterated its previous defense of the story. “Bloomberg Businessweek’s investigation is the result of more than a year of reporting, during which we conducted more than 100 interviews,” a spokesperson told BuzzFeed News in response to a series of questions. “Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources.”
Although they are unusual, Cook’s comments highlight the CEO’s ongoing personal involvement in Apple’s response to the story, and his mounting frustration that the company’s rebuttals to it have been ignored by Bloomberg.
“I was involved in our response to this story from the beginning,” said Cook.
“I personally talked to the Bloomberg reporters along with Bruce Sewell, who was then our general counsel. We were very clear with them that this did not happen, and answered all their questions,” said Cook. “Each time they brought this up to us, the story changed, and each time we investigated we found nothing.”
In addition to disputing the report itself, Cook also took issue with the lack of evidence he said Bloomberg supplied to document its claims. Cook said the reporters never provided Apple with any specific details about the malicious chips it is alleged to have found and removed. He added that he thinks the allegations are undergirded by “vague secondhand accounts.”
“We turned the company upside down,” Cook said. “Email searches, data center records, financial records, shipment records. We really forensically whipped through the company to dig very deep and each time we came back to the same conclusion: This did not happen. There’s no truth to this.”
Asked if scenario like the one Bloomberg described could occur without him knowing about it, Cook replied, “The likelihood of that is virtually zero.”
Cook’s commentary only furthers a growing sense of intrigue around the story, which has been the subject of ongoing public debate among information security experts and journalists. The piece would have massive global security ramifications if it is indeed accurate. It was published by one of the most respected publications in the world, one thought to have high-level government sources. And yet government security agencies and people who lead them are also puzzled.
🚨 Something is wrong. Blanket denials from companies, NCSC and DHS are v. unusual. The only precedent for this is a 2014 Bloomberg article, by the same author, which claimed NSA exploited Heartbleed, and was vigorously knocked down with zero follow up by Bloomberg or correction. https://t.co/lRMiJlXD5G
— Nicole Perlroth (@nicoleperlroth) October 7, 2018
The United States Department of Homeland Security, the U.K.’s National Cyber Security Center, NSA Senior Advisor for Cybersecurity Strategy Rob Joyce, former FBI general counsel James Baker and US Director of National Intelligence Dan Coats have all said variously that they either have no reason to doubt the denials of the companies mentioned in the Bloomberg story or that they’ve seen no evidence supporting its claims. And some sources named in the story have raised questions about it and how their remarks were used. One of those sources, hardware security expert Joe Fitzpatrick, told the Risky Business podcast the story “doesn’t make any sense.”
Joyce: “We’re befuddled” about the Bloomberg article. Says he has great access to intel and hasn’t found corroboration of the story last week or the new one on telcos, says there is “great frustration” in government about the stories.
— Dustin Volz (@dnvolz) October 10, 2018
One high-ranking national security official told BuzzFeed News that the story has the ring of truth, but stressed that he had no personal knowledge of the investigation detailed by Bloomberg. The official said that there is a highly classified effort in the American government to detect how adversaries implant devices like the one described in the Bloomberg story.
Meanwhile, other publications have been unable to advance or even match Bloomberg’s reporting. And powerful voices from Silicon Valley to DC have publicly and privately questioned the validity of the story. Earlier this month, FBI Director Christopher Wray warned a hearing of the Senate Homeland Security Committee to “be careful what you read” in reference to the report. And a high ranking executive at a publicly-traded tech giant told BuzzFeed News that his company knew the supply chain in question in the Bloomberg story, and that a corporate investigation didn’t turn up any evidence of tampering. “We couldn’t find anything,” he said. “Our assessment is that it didn’t happen.”
Another high ranking executive at a major Silicon Valley tech company echoed that assessment.
“I’m responsible for supporting many of the organizations that this touched, so this story was a holy shit moment for me,” they told BuzzFeed News. “And we went and pulled every possible string — because god forbid something like this happened and you didn’t know — and we found nothing.”
Amazon, which along with Apple was a major subject of Bloomberg’s story, issued a similarly vehement denial on the day of its publication, and then went dark. The company has not responded to repeated requests for comment, or interviews with CEO Jeff Bezos or general counsel David Zapolsky.
Meanwhile, companies that might possibly be among the 30 alleged to have been compromised are doing all they can to steer clear of the story. “We investigated and we found nothing,” an executive at one Fortune 50 company told BuzzFeed news. “Please leave us out of this. We weren’t mentioned and I don’t want us to be. I don’t know what the fuck is going on here.”
According to numerous spokespeople and executives in positions to know about internal investigations, the following tech companies and banks are not members of the group of almost 30 that Bloomberg alleges were compromised: Google, Microsoft, IBM, Oracle, Dell, Hewlett Packard, Verizon, Comcast, AT&T, Twitter, Palantir, T-Mobile, Goldman Sachs and Capital One.
For now, it seems that resolving the mystery around the story would require Bloomberg to open itself up — or be opened up. But moving from a dispute in public to a dispute in court is something none of the companies named in the report have signaled a desire to do.