Here's what I expect them to do. Show me a real picture of the chip. Show me some samples of the malicious traffic. Show me some code that they found, tell us which server models they found the affected hardware in. Somebody should have SOME shred of information on this, but there is none. You don't just sell thousands of servers, and not have a few of them that end up getting shipped to someone else, or have a few that end up in someone's test lab, or home lab.
Somebody should be able to produce SOMETHING without giving up their sources. Why can't they produce any of this?
If this story is as real as Bloomberg wants us to think, there are too many tampered motherboards in circulation for them to have all been vacuumed up by someone with a clearance.
A random technician in a datacenter is under no obligation not to leak one unless he holds (or held) a clearance and has agreed to the terms of it.
Example - back when internet worms like SQL slammer were a thing, classification was a huge point of contention among gov security. At least in some agencies, because they were due to a vulnerability in a gov system, the IT/security staff were unable to discuss it with outside, uncleared people, because the vulnerability aspect made it classified. At the same time, knowledge of said worms and backdoors was public all over the news, and no reporters ever went to jail for discussing it.
This isn't so different - it only takes one person without a clearance to dig up one of these chips and publish pictures, and they can do so legally. The fact that it hasn't happened tells me this isn't a widespread problem.
Somebody should be able to produce SOMETHING without giving up their sources. Why can't they produce any of this?