According to a report at The Information, Apple relies on others vendors for its iCloud infrastructure. The report references Amazon (AWS), Microsoft (Azure), Google (Google cloud), AT&T and Verizon. The report suggests that Apple, too, has long-time worries about supply chain security:
[…] Apple is also working on projects to design its own servers. At least part of the driver for this is to ensure that the servers are secure. Apple has long suspected that servers it ordered from the traditional supply chain were intercepted during shipping, with additional chips and firmware added to them by unknown third parties in order to make them vulnerable to infiltration, according to a person familiar with the matter. At one point, Apple even assigned people to take photographs of motherboards and annotate the function of each chip, explaining why it was supposed to be there. Building its own servers with motherboards it designed would be the most surefire way for Apple to prevent unauthorized snooping via extra chips.
“You can’t go take an X-Ray of every computer that hits the floor. You want to make sure there’s no extracurricular activity,” a person familiar with the server project said.
The report does not state whether any specific examples of ‘unknown third parties’ are kept in mind, nor whether the suspicion is based on specific evidence. So, it may just be a precautionary deliberation — as would (obviously) be good practice for any organization handling information attractive to domestic and/or foreign spies.
The story by The Information is covered at Business Insider and subsequently posted to Slashdot. (The reason for this blogpost is that neither included the entire text quoted above, which seems quite relevant to me.)