What am I missing here?
"A third thing to consider is this: if true, a lot of effort went into this surveillance operation. It's not the sort of thing that would be added to any Super Micro server shipping to any old company – it would be highly targeted to minimize its discovery. If you've bought Super Micro kit, it's very unlikely it has a spy chip in it, we reckon, if the report is correct. Other than Apple and Amazon, the other 30 or so organizations that used allegedly compromised Super Micro boxes included a major bank and government contractors."
How is the contractor/attacker in any way in control of which MBs get sent to which customers. Surely that is entirely in the hands of Super Micro? Are these particular compromised MBs only available to certain customers? If so, how?