Amazon.com Inc. and Apple Inc. are said to have been targeted in a Chinese spying campaign that reportedly saw malicious chips enter their data centers as part of compromised server motherboards.

That’s the claim put forth in a bombshell Bloomberg report published today. Apple and Amazon have outright rejected the allegations, while Super Micro Computer Inc., the motherboard maker said to be at the center of the affair, denied knowledge of several key points in the story in unusually strong language.

The information in the report is attributed to no fewer than 17 anonymous sources. Bloomberg cited three “senior” Apple insiders, two sources at Amazon’s cloud division and six current and former senior national security officials, who said that the reported campaign is the subject of an ongoing government investigation.

The probe was reportedly launched in 2015 following the discovery of spying chips in servers from Elemental Technologies Inc., a video compression startup. The company had sent a few of its machines to an unnamed security firm for testing as part of due diligence done in connection with its acquisition by Amazon, which took place in September of the same year. The malicious chips were reportedly found nested on Supermicro motherboards inside the servers.

One source claimed that investigators eventually discovered similar chips in data centers owned by a variety of other firms. In all, today’s report claims that the attack was found to affect nearly 30 U.S. companies, including Apple, Amazon, a major bank and government contractors.

Investigators have supposedly uncovered multiple variants of the spying chips as part of the probe. According to one of the sources, some of the units were smaller than the tip of a sharpened pencil. They were reportedly planted on Supermicro motherboards at factories run by Chinese manufacturing subcontractors and could alter an operating system that it would accept malicious updates, as well as contact remote servers.

The national security officials cited in the story described the incident as the biggest supply chain attack known to have been carried out against U.S. companies. This is due in large part to the fact that Supermicro, which is based in San Jose, California, is one of the world’s leading makers of motherboards. Its hardware can be found in a massive array of devices ranging from data center servers to MRI systems.

Apple and Amazon have issued statements strongly denying the parts of the report pertaining to them. The iPhone maker said that “on this we can be very clear: Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server.”

Amazon, in turn, stated that “it’s untrue that AWS knew about a supply chain compromise, an issue with malicious chips, or hardware modifications when acquiring Elemental. It’s also untrue that AWS knew about servers containing malicious chips or modifications in data centers based in China, or that AWS worked with the FBI to investigate or provide data about malicious hardware.”

After the report, Supermicro’s stock, which was delisted from the Nasdaq exchange in August after it said it was unable to file its 10K financial documents, plummeted more than 43 percent on the OTC Markets.

Image: Pixabay