The United Kingdom's cybersecurity agency and the U.S. Department of Homeland Security also expressed skepticism about the initial report. "In light of your important leadership roles in Congress, we want to assure you that a recent report in Bloomberg Businessweek alleging the compromise of our servers is not true", Apple's vice president of information security George Stathakopoulos wrote in the letter.
Bloomberg Businessweek raised eyebrows earlier this month with a report claiming to have uncovered evidence that a nation-state attacker had implanted tiny components in server hardware manufactured in China on behalf of Super Micro Computer (known as Supermicro).
Apple has, however, issued a very strong denial, which has been backed up by reports from the Federal Bureau of Investigation, casting doubt on Bloomberg's claims.
"It's possible that well-meaning sources confused malware Apple reportedly found in Supermicro firmware with a hardware-based espionage campaign".
'Unusual communications from a Supermicro server and a subsequent physical inspection revealed an implant built into the server's Ethernet connector, a component that's used to attach network cables to the computer, ' the paper reports Appleboum as confirming, citing 'documents, analysis and other evidence of the discovery' provided by Appleboum to its reporters in support of the claim. "In all, 17 people confirmed the manipulation of Supermicro's hardware and other elements of the attacks", Bloomberg says, though most remained anonymous "because of the sensitive, and in some cases classified, nature of the information".
On Tuesday, the media outlet behind the claims, Bloomberg, responded to growing criticism of its report by publishing a new, related story about how a "major USA telecommunications company" discovered a similar hardware hack in components from the computer manufacturer at the center of the story, Super Micro.
According to Bloomberg News, Appleboum has ample technical documentation to back up his findings, but presumably sharing it with other parties would violate his non-disclosure agreement by revealing the identity of his telecom client. Said factory appears to be one in Guangzhou, China, which Supermicro uses as a subcontractor.
The issue is sensitive given the tense state of relations between the USA and China, not to mention the danger of stock market and information-technology panic if China's tight grip on the computer supply chain compromised a huge number of servers in sensitive corporate and government facilities.
The criticism was still at full pitch on Tuesday morning when Bloomberg published its follow-up article. While it names a single source, some security experts quickly challenged the credibility of the report.
"Sure this story has one named source but it technically makes even less sense than the first one", Cris Thomas, a security expert who tweets under the handle SpaceRogue, wrote. China's embassy in Washington did not return a request for comment Monday.
Other experts were much more circumspect.
"There are technical issues with both stories, but I think both are plausible", Jake Williams, a former NSA hacker who is now founder of Rendition Security, tweeted. Extraordinary claims require extraordinary proof. Neither adage proves nor disproves the claims of a highly sophisticated supply-chain attack infiltrating the world's most powerful organizations. But they're reminders that we have a long way to go until this troubling reporting should be taken as fact.