Hackers Spent 2+ Years Looting Secrets of Chipmaker NXP Before Being Detected (arstechnica.com) 19
An anonymous reader quotes a report from Ars Technica: A prolific espionage hacking group with ties to China spent over two years looting the corporate network of NXP, the Netherlands-based chipmaker whose silicon powers security-sensitive components found in smartphones, smartcards, and electric vehicles, a news outlet has reported. The intrusion, by a group tracked under names including "Chimera" and "G0114," lasted from late 2017 to the beginning of 2020, according to Netherlands national news outlet NRC Handelsblad, which cited "several sources" familiar with the incident. During that time, the threat actors periodically accessed employee mailboxes and network drives in search of chip designs and other NXP intellectual property. The breach wasn't uncovered until Chimera intruders were detected in a separate company network that connected to compromised NXP systems on several occasions. Details of the breach remained a closely guarded secret until now.
NRC cited a report published (and later deleted) by security firm Fox-IT, titled Abusing Cloud Services to Fly Under the Radar. It documented Chimera using cloud services from companies including Microsoft and Dropbox to receive data stolen from the networks of semiconductor makers, including one in Europe that was hit in "early Q4 2017." Some of the intrusions lasted as long as three years before coming to light. NRC said the unidentified victim was NXP. "Once nested on a first computer -- patient zero -- the spies gradually expand their access rights, erase their tracks in between and secretly sneak to the protected parts of the network," NRC reporters wrote in an English translation. "They try to secrete the sensitive data they find there in encrypted archive files via cloud storage services such as Microsoft OneDrive. According to the log files that Fox-IT finds, the hackers come every few weeks to see whether interesting new data can be found at NXP and whether more user accounts and parts of the network can be hacked."
NXP did not alert customers or shareholders to the intrusion, other than a brief reference in a 2019 annual report. It read: "We have, from time to time, experienced cyber-attacks attempting to obtain access to our computer systems and networks. Such incidents, whether or not successful, could result in the misappropriation of our proprietary information and technology, the compromise of personal and confidential information of our employees, customers, or suppliers, or interrupt our business. For instance, in January 2020, we became aware of a compromise of certain of our systems. We are taking steps to identify the malicious activity and are implementing remedial measures to increase the security of our systems and networks to respond to evolving threats and new information. As of the date of this filing, we do not believe that this IT system compromise has resulted in a material adverse effect on our business or any material damage to us. However, the investigation is ongoing, and we are continuing to evaluate the amount and type of data compromised. There can be no assurance that this or any other breach or incident will not have a material impact on our operations and financial results in the future."
NRC cited a report published (and later deleted) by security firm Fox-IT, titled Abusing Cloud Services to Fly Under the Radar. It documented Chimera using cloud services from companies including Microsoft and Dropbox to receive data stolen from the networks of semiconductor makers, including one in Europe that was hit in "early Q4 2017." Some of the intrusions lasted as long as three years before coming to light. NRC said the unidentified victim was NXP. "Once nested on a first computer -- patient zero -- the spies gradually expand their access rights, erase their tracks in between and secretly sneak to the protected parts of the network," NRC reporters wrote in an English translation. "They try to secrete the sensitive data they find there in encrypted archive files via cloud storage services such as Microsoft OneDrive. According to the log files that Fox-IT finds, the hackers come every few weeks to see whether interesting new data can be found at NXP and whether more user accounts and parts of the network can be hacked."
NXP did not alert customers or shareholders to the intrusion, other than a brief reference in a 2019 annual report. It read: "We have, from time to time, experienced cyber-attacks attempting to obtain access to our computer systems and networks. Such incidents, whether or not successful, could result in the misappropriation of our proprietary information and technology, the compromise of personal and confidential information of our employees, customers, or suppliers, or interrupt our business. For instance, in January 2020, we became aware of a compromise of certain of our systems. We are taking steps to identify the malicious activity and are implementing remedial measures to increase the security of our systems and networks to respond to evolving threats and new information. As of the date of this filing, we do not believe that this IT system compromise has resulted in a material adverse effect on our business or any material damage to us. However, the investigation is ongoing, and we are continuing to evaluate the amount and type of data compromised. There can be no assurance that this or any other breach or incident will not have a material impact on our operations and financial results in the future."
So, when NXP says... (Score:3)
"At NXP, we believe that security is essential now more than ever. We have a strong history of providing solutions to ecosystems that require heightened security and privacy, from the edge to the cloud. Our deep engineering expertise, proven processes and understanding of emerging trends are just a few reasons why we deliver trusted solutions to meet your security needs."
On their website, we should, or should not, take them seriously?
Re:Enough with the neocon cyber BS (Score:5, Insightful)
It's not 'neocon' BS. Deep concern over China's activities is bipartisan. It even unites the isolationist populists with the traditional interventionist types. It's shared across the pond with our European friends and allies. It's shared by our Asian allies and partners. Nobody thinks it's BS except the bots online spewing Winnie the Pooh's propaganda.
There's also a good tech/security read here if you want to dive into it. The bulk of the hacking attempts I see against my organization come from CSPs too. Microsoft, Amazon, Google, virtually every CSP, large and small, they ask zero questions and maintain zero control over their networks. As long as you can pay the bill you're good. Then the right hand of these same organizations sells you security consulting services to help you deal with the attacks their left hand is facilitating.
I remember back in the 90s getting kicked off a shell provider because I broke their "no IRC bots" rule. Some little rinky dink operator in the 90s monitored their shit more aggressively than Fortune 100 companies do today. Seriously, try to get kicked off Azure or AWS. Short of hosting CSAM or getting their IP addresses added to spam blocklists, it's pretty damned hard. If you're operating like this group was, with subtly and patience, as opposed to pfishing for iTunes gift cards, you can stay on these CSPs for years.
Re: (Score:2, Insightful)
> Microsoft, Amazon, Google, virtually every CSP, large and small, they ask zero questions and maintain zero control over their networks. As long as you can pay the bill you're good. Then the right hand of these same organizations sells you security consulting services to help you deal with the attacks their left hand is facilitating.
100% agree.
> Seriously, try to get kicked off Azure or AWS.
For better or worse, they assume their customers are operating in good faith, and that those good faith operato
Re: (Score:3)
The "no IRC bots" rule is/was usually because some IRC bots can attract mind-bogglingly large DoS floods almost for teh lulz, making it unpredictable as to which bots trigger them, and that DoS will be a huge monetary impact to even large ISPs. It's not because they care about the rule otherwise. If these attacks represented existential threats to the companies, they would probably get addressed too.
Re: (Score:2, Insightful)
Two trolling responses in 7 minutes. One posts fictitious neocon techno waffle, the other goes straight to the antisemitism.
Do you seriously think the Chinese don't know how to disguise an I.P address?
Hostage Video (Score:3)
> Such incidents, whether or not successful, could result in the misappropriation of our proprietary information
This is so obviously untrue that somebody was trying to get a message out.
I guess it was about the multi-year cover-up? Too bad nobody noticed the "Help, I'm being held prisoner in the fortune cookie factory!" claim contemporaneously.
Do these guys IIRC make an FPGA? If yeah double-check the compiler output.
Not just 'ties' (Score:4, Insightful)
If a Chinese hacking group is exfiltrating IP from another country and China isn't cracking down on the people benefiting from it or showing any real signs of hunting down the hackers... it's a CCP operation.
There's no reason to give benefit of the doubt, and in fact it belies common sense to even consider doing so.
Show me the executives going to jail for accepting the data. Show me the companies shut down for producing the products made with it. Until then, it's merely an unacknowledged government program.
Re: (Score:2)
With China being the world's de-facto assembly line, it's hard to say what was sourced by industrial espionage and what was sourced by simply not stamping the original designer's brand name on it after assembling it...
Do your updates timely to avoid being hacked (Score:4, Interesting)
Interesting... at the beginning of 2020, I was hired to refresh the PCs at the Austin TX NXP facility. This place was the size of a small city and it was only 10% full or less. They put the refresh on hold for unknown reasons (didn't want to wipe any hacker evidence?) and made me join the deskside support team.
The place was mostly populated by busy-looking people from India who treated every other ethnicity as a lower caste. One of the deskside guys had sat in a meeting where they were talking about how nobody who wasn't Indian would ever get a raise or promotion there (they mistook him for Indian). After 6 weeks of still not getting a badge (I had to wait at the entrance for someone to come bring me in as a guest EVERY morning) or login accounts, I noped out of there. Very toxic and disfunctional environment.
Interestingly, a few months later I went to a job interview and the lady there thought I was someone else and pulled out a copy of one of these deskside guy's resumes when she sat down with me. That particular dude was an ahole and i'm lucky I didn't run into him as I left the building; he was probably also interviewing there that day.
China's tech is just as good as anybody's (Score:2)
Yeah...because they'll steal from anybody.
Re: (Score:2)
Erh... no, by definition it is.
Care to show me anything tech that's not "Made in China"? Of course their tech is as good as everyone's, everyone's tech IS theirs.
Same shit, different century... (Score:2)
In the 1800s it was the US stealing British technologies. The most famous being Francis Cabot Lowell stealing the loom.
Once a country gets advanced enough it actually has some IP to hide, it begins respecting IP law.
Remember the 2001 Stolen Capacitor Formula? (Score:1)