A major report from Bloomberg on Thursday describes an infiltration of the hardware supply chain, allegedly orchestrated by the Chinese military, that reaches an unprecedented geopolitical scope and scale—and may be a manifestation of the tech industry's worst fears. If the details are correct, it could be a nearly impossible mess to clean up.

"This is a scary-big deal," says Nicholas Weaver, a security researcher at the University of California at Berkeley.

Cybersecurity experts often describe supply chain attacks as worst-case scenarios, because they taint products or services at the time of their creation. They've also been on the rise on the software side, precisely because of that reach and effectiveness. But the Bloomberg report raises a much more alarming specter: that Chinese government actors compromised four subcontractors of the US-based Super Micro Computer Inc. to hide tiny microchips on Supermicro motherboards.

The chips, Bloomberg says, offered a fundamental backdoor into the devices they were hidden in, ultimately helping the Chinese government access the networks of more than 30 US companies—including Apple and Amazon—and to gather intelligence on their plans, communications, and intellectual property.

"This sort of attack undermines every security control we have in place today.' Jake Williams, Rendition Infosec

Apple, Amazon, and Super Micro all issued extensive statements to Bloomberg refuting the report, categorically denying having ever found evidence of such an attack in any of their infrastructure. "Apple has never found malicious chips, 'hardware manipulations' or vulnerabilities purposely planted in any server," the company wrote, later adding in an extended post more details, including that it was not operating any kind of government-imposed gag order. Amazon published a extended rebuttal as well. "At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems," the company wrote. "Supermicro has never found any malicious chips, nor been informed by any customer that such chips have been found," wrote Super Micro in a statement.

Security researchers and analysts emphasize, though, that the Bloomberg report raises crucial questions about the threat of hardware supply chain attacks, and the industry's lack of preparedness to deal with them. Lawmakers have clearly considered the issue, given the recent ban on devices made by the Chinese manufacturers ZTE and Huawei in government use. But there still aren't clear mechanisms in place to respond to a successful hardware supply chain compromise.

"This sort of attack undermines every security control we have in place today," says Jake Williams, a former NSA analyst and founder of the security firm Rendition Infosec. "We can detect anomalies on the network to bring us back to a suspicious server, but most organizations simply can't find a malicious chip on a motherboard."

Mere awareness of the threat doesn't help much. Behemoths like Apple and Amazon have effectively unlimited resources to audit and replace equipment throughout their massive footprints. But other companies likely don't have this flexibility, especially given how elusive these intruders are; Bloomberg says the PLA's stowaway component was no bigger than a pencil point.

"The problem with detection is that it's extremely impractical," says Vasilios Mavroudis, a doctoral researcher at University College London who has studied hardware supply chain attacks and worked last year on a model for cryptographically ensuring the integrity of hardware parts during manufacturing. "You need specialized equipment and you have to carefully examine several heterogenous pieces of complex equipment. It sounds like a nightmare, and it's an expense that's hard for companies to justify."

Even companies that can afford to properly remediate a hardware breach face the obstacle of finding replacements. The threat of supply chain attacks makes it difficult to know who to trust. "Most computer components come through China," Williams says. "It's hard to picture they don't have hooks into companies other than Super Micro. At the end of the day, it's hard to evaluate what's more trustworthy. Backdoored hardware on such a wide scale is unprecedented."