Bloomberg isn't standing firm and backing everything they reported. They have been rather sneaky in their non denial denial of what is increasingly looking like rather dodgy reporting. They said:
"Seventeen individual sources, including government officials and insiders at the companies, confirmed the manipulation of hardware and other elements of the attacks. We also published three companies’ full statements, as well as a statement from China’s Ministry of Foreign Affairs. We stand by our story and are confident in our reporting and sources."
But note how carefully this is worded. As John Gruber of Daring Fireball has pointed out, notably they are being careful not to say Cook is wrong, or that their story is true. And the Buzzfeed story goes on to note no one in the security community has been able to verify anything in Bloomberg’s story and no other news source has backed it up (tip of the hat also to Gruber)
Additionally in an early Daring Fireball report, Gruber quotes a transcript of the Risky Business podcast when Joe Fitzpatrick, a security researcher contacted by Bloomberg said the following:
FITZPATRICK: But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at Black Hat two years ago worked.
GRAY: So I guess what you are saying here is, the report, I mean all of the technical details of the report, you’d covered that ground with that reporter.
FITZPATRICK: Yeah, I had conversations about all the technical details and various contexts. But there are a lot of filters that happen, you know? When I explain hardware things even to software people, I don’t expect people to get it the first time and I don’t expect people to be able to describe it accurately all the time. So there is definitely a lot of telephone exchange happening
GRAY: OK but why did that make you feel uneasy? Could it be the case that you know that the technical things you told him lined up perfectly with the technical things that some of these 17 of the anonymous sources told him?
FITZPATRICK: You know, I’m just Joe. I do this stuff solo. I am building hardware implants for phones to show off at conferences. I’m not a pro at building hardware implants. I don’t work for any nation or any state building and shipping these as products. I feel like I have a good grasp at what’s possible and what’s available and how to do it just from my practice. But it was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100 percent of what I described was confirmed by sources.
GRAY: And that’s what he was telling you through this process?
FITZPATRICK: That’s what I read in the article.
GRAY: OK, right. You find that a bit strange? That every single thing you seem to tell him, or a large proportion of what you told him, was then confirmed by his other sources.
FITZPATRICK: Yeah, basically. Either I have excellent foresight or something else is going on.
All in all it very much seems like a Bloomberg reporting has got somewhat carried away with a possibility and reported it as fact. I even wonder if the reporter was mistaking these stories as a hinted reality. e.g. did the reporter get carried away and think Fitzpatrick was speaking hypothetically to present the truth without breaking confidence or legal non disclosure, when in fact Fitzpatrick was only speaking hypothetically?
It seems a distinct possibility to me that the reporter added 2 + 2 and calculated the result is 5. Certainly the denials are very direct and Cook is prepared to put his integrity on the line. If for SEC rules alone, his statement is highly significant. When execs of a public company have something to hide, they usually avoid talking about it so as to avoid all possibility legal blowback and word is Cook is one of the more trustworthy of the major tech CEOs.