They do provide sources sometimes - even when their stories are false - which makes credulity without proof that much more surprising.
They're not inviting anyone into Langley, and if this were a claim about e.g. cyberattacks on Ukraine we might not expect evidence. But for something evaluated domestically, especially with physical evidence like SuperMicro, it's relatively common for intelligence sources to point to people who can confirm key elements. That might be a non-government firm which examined the physical evidence, a non-intelligence researcher who can assess the context of a factual claim, or an affected business which can verify what they experienced.
When a CIA source told Judy Miller that Iraq was buying aluminum tubes to centrifuge uranium, they claimed that Oak Ridge nuclear scientists had confirmed their assessment of what the tubes were for. They hadn't, but she apparently didn't bother to check.
When "U.S. officials" told the Washington Post that Russian Grizzly Steppe malware had infected the US electric grid, they provided the name of the utility company which had been attacked - Burlington Electric. Again, this was untrue (the code was found on one laptop unconnected to 'the grid'), but the reporter involved didn't check.
In the SuperMicro case, there doesn't seem to have even been a name given to check, just vague assertions that some company had performed an audit. That ought to have been a warning sign, but it looks like Bloomberg accepted source diversity in place of concrete or verifiable details - we're told of six national security officials, three Apple insiders, two AWS sources (and a partridge in a pear tree).
They're not inviting anyone into Langley, and if this were a claim about e.g. cyberattacks on Ukraine we might not expect evidence. But for something evaluated domestically, especially with physical evidence like SuperMicro, it's relatively common for intelligence sources to point to people who can confirm key elements. That might be a non-government firm which examined the physical evidence, a non-intelligence researcher who can assess the context of a factual claim, or an affected business which can verify what they experienced.
When a CIA source told Judy Miller that Iraq was buying aluminum tubes to centrifuge uranium, they claimed that Oak Ridge nuclear scientists had confirmed their assessment of what the tubes were for. They hadn't, but she apparently didn't bother to check.
When "U.S. officials" told the Washington Post that Russian Grizzly Steppe malware had infected the US electric grid, they provided the name of the utility company which had been attacked - Burlington Electric. Again, this was untrue (the code was found on one laptop unconnected to 'the grid'), but the reporter involved didn't check.
In the SuperMicro case, there doesn't seem to have even been a name given to check, just vague assertions that some company had performed an audit. That ought to have been a warning sign, but it looks like Bloomberg accepted source diversity in place of concrete or verifiable details - we're told of six national security officials, three Apple insiders, two AWS sources (and a partridge in a pear tree).