Bloomberg’s ‘big hack’ sequel only raises more questions

February 16, 2021, 10:33 PM UTC

Cyberia is a treacherous land—a cold, perilous, and unforgiving terrain for journalists to navigate. There are few signposts, compass readings are suspect, and will-o-the-wisps love to lead wanderers astray. I am referring, of course, to the cybersecurity beat.

On Friday, Bloomberg published a sequel to “The Big Hack,” its contentious and widely disputed 2018 investigation into an alleged hardware supply chain hack. The supposed espionage case centered on Supermicro, a San Jose, Calif.-based firm that makes computer server parts. In the earlier story, Bloomberg reported that Chinese agents infiltrated U.S. companies—including Apple and Amazon—using grain-sized spy chips surreptitiously fitted onto Supermicro hardware.

The first article drew immediate backlash. Cybersecurity experts disputed the technical details. A named source disavowed the story. And just about all the companies and authorities involved—including Supermicro, Apple, Amazon, and even the United States National Security Agency—issued unambiguous denials and rejections.

None of that stopped Bloomberg from doubling down. In the new story, published Friday, Bloomberg addresses some of the pushback. Then it claims—through a combination of squishy sourcing and a cataloguing of ancillary cybersecurity incidents—that the original report “only captured part of a larger chain of events.” Rather than clearing up the matter, the follow-up report raises more questions.

Supermicro, for one, has strenuously objected, again, calling the new piece “a mishmash of disparate and inaccurate allegations that date back many years.” Bloomberg didn’t attempt to further its earlier assertions about compromises at Apple and Amazon, whose names appear in the latest report only to note they called for retractions. Joseph Menn, a veteran cybersecurity reporter at Reuters, joked about the new story, “This is the weirdest retraction I have ever read.”

The best skeptical dissection of Bloomberg’s latest reporting comes from Matt Tait, a senior cybersecurity fellow at the University of Texas at Austin’s Center for International Security and Law, who goes by the moniker PwnAllTheThings on Twitter. “This story is too big, and the refutations too blunt and too numerous to support on this level of third- and fourth-hand sourcing,” he said of the new story. “If they have documents: go for it. Make fools of Apple, Amazon, FBI, NSA, DHS and ODNI by publishing them. Otherwise, this story should not have run.” (I recommend reading Tait’s point-by-point objections in full.)

On the one hand, I commend the Bloomberg team for attempting to get its initially clumsy investigation on surer footing. The new story reveals more details about the U.S.’s alleged national security suspicions over and secret counterintelligence investigations into Supermicro. The outcome of those mysterious investigations, and whether they remain ongoing, is unclear, as the authors note. (Bloomberg hasn’t issued an additional statements about its latest story, and it never retracted its earlier story.)

But the new reporting hardly settles the matter. When Bloomberg’s earlier story published, I advised readers to file the reporting “under cloak, not dagger.” I stand by that assessment. The earlier piece had obvious holes; tellingly, Bloomberg’s sequel does not link to its first article. And the new piece relies heavily on anonymous or secondhand sourcing, which does not inspire confidence.

Some sort of espionage incident—or incidents—may have occurred, but what exactly? How serious were they? And why have no alleged spy chips turned up in the public domain in the past two years?

Without more documentation, our guides leave us stranded in Cyberia.

Robert Hackett

Twitter: @rhhackett


Lowly Worm on the streets of Busytown. The rumor mill continues to churn over Apple's interest in finding a manufacturing partner for its rumored Apple Car, also called Project Titan. Talks between the iPhone-maker and Japan's Nissan automaker fell through when the two companies failed to reach an agreement over branding, the Financial Times reports. Car manufacturers are apparently worried about becoming "the Foxconn of the auto industry," and Apple's talks with South Korea's Hyundai also recently broke down. (Subject line a nod to Richard Scarry.)

'Fore the day I die, I'ma touch the sky. The price of Bitcoin breached $50,000 for the first time ever Tuesday morning, setting a new record high. The cryptocurrency's total market value in circulation is more than $900 billion—nearing $1 trillion—having more than doubled in two months. Companies ranging from BNY Mellon to Mastercard to Tesla to PayPal, plus various hedge fund managers, have all warmed up to cryptocurrency recently, helping fuel the rally. 

Voulez-vous Parler avec moi? The social media app Parler is back after Amazon knocked it off its web infrastructure a month ago. The loosely moderated app, popular among some conservatives, found a new home with Epik, a web hosting business known for catering to far-right sites. After firing its former CEO John Matze, Parler appointed an interim CEO, Mark Meckler, cofounder of the right-wing group Tea Party Patriots, while it hunts for a more permanent boss. 

Hobbits will shape the fortunes of all. Shares of Palantir, the Colo.-based data analytics firm, fell 9% Tuesday morning after the company reported a loss of 8 cents per share in its fourth quarter ended Dec. 31 with a forecast of decelerated sales growth for the year ahead. Despite the dip, Palantir said it brought in $322 million in revenue in the most recent quarter, more than the $300.7 million analysts expected. Alex Karp, Palantir's cerebral, Silicon Valley-spurning chief exec, told investors he hopes “those of you who prefer a more short-term focus, that you choose companies that are more appropriate for you."

Jagged little pill. South Korean intelligence officials said North Korean hackers tried to steal COVID-19 vaccine technology from U.S. pharma company Pfizer, according to a local outlet Yonhap. Details are scarce and Pfizer has yet to issue a statement.

Dragon's on the desert floor. French security officials linked a recently uncovered, widespread hacking campaign to Sandworm, a hacker group associated with Russia's GRU military intelligence agency. Dating to late 2017, the cyber-spree mainly hit IT and web hosting firms, officials said, and it compromised an IT monitoring tool called Centreon. (Sounds a bit like the SolarWinds's hackers subversion of the network monitoring tool Orion, eh?)

Happy Valentine's Day.


Fortune brought in Bill Gates, Microsoft cofounder, billionaire philanthropist, and author of the new book How to avoid a climate disaster, to guest edit a package of stories we're calling "Blueprint for a climate breakthrough." Gates spoke to Fortune editor in chief Clifton Leaf about his ideas. He also penned a piece advocating for the adoption of a new metric called Green Premiums, which calculates the cost difference between using clean energy versus fossil fuels.

When I worked at Microsoft, my colleagues and I would pore over data about our business. We knew the numbers on our sales, our customers, and our competitors inside and out. We weren’t alone, of course—every good business leader does the same thing. The only way to know whether you’ll meet your goals is to measure where you stand at the moment. 

But when it comes to climate change, the important metrics aren’t nearly as clear. I think this vacuum helps explain why the debate over what to do about climate change is so fraught. 


Why we asked Bill Gates to be Fortune’s guest editor today by Clifton Leaf

The great chip shortage of 2021: Why carmakers and computermakers are scrambling by Aaron Pressman

Europe wants a mutant COVID clause built into its vaccine supply contracts by Alberto Nardelli and Nikos Chrysoloras

These young climate activists are shaping the future of our planet by Emma Hinchliffe and Claire Zillman

Bill Gates sees innovation as key to achieving net-zero by Alan Murray

TikTok targeted over ‘misleading’ privacy practices and ‘ambiguous’ terms in Europe by David Meyer

(Some of these stories require a subscription to access.Thank you for supporting our journalism.)


Ever hear of Prince Hall? He was a manumitted African American born in 1770 whom the Atlantic ranks among America's founding fathers. Hall founded the first Black Masonic Lodge in the Americas, fostered the early Black activist community in Boston, and advanced the abolitionist movement. He was "the first American to publicly use the language of the Declaration of Independence for a political purpose other than justifying war against Britain," writes Harvard historian Danielle Allen.

Let's keep Hall's memory alive as we celebrate Black History Month this year.

Read More

CEO DailyCFO DailyBroadsheetData SheetTerm Sheet