We caught them doing it back in 2018...
Do you think this has become less of a goal for China since 2018? Apple is specifically mentioned as one of the targeted products.
https://arstechnica.com/gadgets/2018/10/bloomberg-super-micro-motherboards-used-by-apple-amazon-contained-chinese-spy-chips/
One of the comments on this article:
You're kind of not versed on this subject at all. That's not even how supply chain risks work. You cant reverse engineer a prebuilt FPGA or PCL/SCADA based interface once its already constructed. SoCs that you design can be intercepted in transit and replaced by fraudulent versions of the same SoC based on your very own design except now with a malicious security system as part of the SoC's community of processors. Just because you design something and have a damn CAD file doesnt mean jack if you have someone else build it and arent standing there watching them make it and moving along with the shipment. The whole purpose of Critical Program Information identification on major systems like these in the SCRM process is to identify which components are the most vital and need the most compensatory security across the ENTIRE SUPPLY CHAIN.
You also haven't really accounted for a lot of other factors but i'm not here to give you a lesson on SCRM when you're whole defense is that they "designed it and have CAD files." What are you going to plug it in and see if it works like intended? Do you know how easy it is to spoof and modulate the exact parameters if you have the original blueprint? Do you know how convincing counterfeit chips are? You cant detect adversarial penetration in a FPGA/SoC or subcomponent chip without destroying it for reverse engineering AND using advanced forensic techniques (that usually National Labs specialize in). You gonna destroy 1 out of every a 100 chips to stratify your test lot? They only need access to a few systems to get inside a data center. There is minimal electro-pathway-analysis capability to detect modifications but they can be bypassed by PLC controlled logic gates that were part of the original design! Full program protection and SCRM standards are the best way to avoid these risks from the start.
BTW don't question someone's expertise on a subject if you clearly have no DEPTH in the field yourself. Because your naive answer is the reason company's have such crappy security assumptions in their risk management planning.