Did A Chinese State-Sponsored Group Breach Taiwan's Semiconductor Industry? (arstechnica.com) 15
At the Black Hat security conference, researchers from the Taiwanese cybersecurity firm CyCraft revealed at least seven Taiwanese chip firms have been breached over the past two years, reports Wired:
The series of deep intrusions — called Operation Skeleton Key due to the attackers' use of a "skeleton key injector" technique — appeared aimed at stealing as much intellectual property as possible, including source code, software development kits, and chip designs. And while CyCraft has previously given this group of hackers the name Chimera, the company's new findings include evidence that ties them to mainland China and loosely links them to the notorious Chinese state-sponsored hacker group Winnti, also sometimes known as Barium, or Axiom. "This is very much a state-based attack trying to manipulate Taiwan's standing and power," says Chad Duffy, one of the CyCraft researchers who worked on the company's long-running investigation...
The researchers found that, in at least some cases, the hackers appeared to gain initial access to victim networks by compromising virtual private networks, though it wasn't clear if they obtained credentials for that VPN access or if they directly exploited vulnerabilities in the VPN servers. The hackers then typically used a customized version of the penetration testing tool Cobalt Strike, disguising the malware they planted by giving it the same name as a Google Chrome update file. They also used a command-and-control server hosted on Google's or Microsoft's cloud services, making its communications harder to detect as anomalous....
Perhaps the most remarkable of those new clues came from essentially hacking the hackers. CyCraft researchers observed the Chimera group exfiltrating data from a victim's network and were able to intercept an authentication token from their communications to a command-and-control server. Using that same token, CyCraft's analysts were able browse the contents of the cloud server, which included what they describe as a "cheat sheet" for the hackers, outlining their standard operating procedure for typical intrusions. That document was notably written in simplified Chinese characters, used in mainland China but not Taiwan...
"It's possible that what they're seeing is just a small fragment of a larger picture," says the director of Kaspersky's Global Research & Analysis Team, who tells Wired the group has also attacked telecoms, tech firms, and a broad range of other Taiwanese companies.
But in the same article one of CyCraft's researchers argues the group could be looking for even more exploits. "If you have a really deep understanding of these chips at a schematic level, you can run all sorts of simulated attacks on them and find vulnerabilities before they even get released."
The researchers found that, in at least some cases, the hackers appeared to gain initial access to victim networks by compromising virtual private networks, though it wasn't clear if they obtained credentials for that VPN access or if they directly exploited vulnerabilities in the VPN servers. The hackers then typically used a customized version of the penetration testing tool Cobalt Strike, disguising the malware they planted by giving it the same name as a Google Chrome update file. They also used a command-and-control server hosted on Google's or Microsoft's cloud services, making its communications harder to detect as anomalous....
Perhaps the most remarkable of those new clues came from essentially hacking the hackers. CyCraft researchers observed the Chimera group exfiltrating data from a victim's network and were able to intercept an authentication token from their communications to a command-and-control server. Using that same token, CyCraft's analysts were able browse the contents of the cloud server, which included what they describe as a "cheat sheet" for the hackers, outlining their standard operating procedure for typical intrusions. That document was notably written in simplified Chinese characters, used in mainland China but not Taiwan...
"It's possible that what they're seeing is just a small fragment of a larger picture," says the director of Kaspersky's Global Research & Analysis Team, who tells Wired the group has also attacked telecoms, tech firms, and a broad range of other Taiwanese companies.
But in the same article one of CyCraft's researchers argues the group could be looking for even more exploits. "If you have a really deep understanding of these chips at a schematic level, you can run all sorts of simulated attacks on them and find vulnerabilities before they even get released."
No! (Score:2)
Thank god, Betteridge prevented it.
Kind of scary (Score:1)
Re:Kind of scary (Score:5, Insightful)
Used for hacking? More like used to provide a massive advantage to Chinese private and military interests. When will people get it through their skulls, Chinese industry and the Chinese state are one thing.
They will use the info to help them replicate taiwan chip fabrication tech and to undermine the design advances of most of the world who was foolish enough to trust that Taiwan would be a safe place to send their sensitive IP. China will have a knockoff of every worthwhile chip design companies and engineers in your nation have designed now.
China is at war with the rest of the world, especially the parts with some sort of concept of democracy, and they are most definitely hostile.
Another reason not to use cloud servers ... (Score:1)
Keep things on your own servers: you control them and so can better trust them. See packets going elsewhere --- go & investigate. Yes: it might cost a little more, but how expensive is the loss of important data ?
Re: Another reason not to use cloud servers ... (Score:2)
Foundries like TSMC need a way for customers to send their chip designs. That said, itâ(TM)s tough to imagine circumstances where their internal process recipes are required to be shared outside the confines of the fab, so they could be internally locked down.
Re: (Score:2)
Thank Microsoft and AD (Score:2)
Who cares (Score:3)
Until a couple of months ago the whole world was benefiting from cheap goods from China. Unfortunately we also benefit from the State funded chip manufacturing TSMC foundry in the disputed territory of Taiwan which also makes most of our advanced electronics. Suddenly we care about all of this. The one thing I am not ok about is starting a cold war with China in order to change it. Blaming someone else for your own lack of insight and attacking them because of it is pathetic. Pay Intel or others to redress the balance but don't tell me we need another hot war to solve the issue.
Re: (Score:3)
Re:Who cares (Score:4, Insightful)
Suddenly we care about all of this.
No, this didn't suddenly magically appear after Trump's inauguration. Concerns over China's theft of intellectual property - as well as coerced extraction of intellectual property - have been around for decades. Heck, I remember Microsoft complaining about it back in the Windows 95 days... and earlier.
It's fine if you don't like the current administration's posture towards China*; but you can't pretend this is a made-up problem.
*I am annoyed by the administration's approach - mainly because they completely reverse course the moment China or a Chinese company does something that benefits Trump.
Things Are About to Get More Interesting (Score:2)