A data breach at TSMC, a Taiwan-based hardware supplier, has been confirmed to be the work of LockBit. TSMC is one of Apple’s leading semiconductor suppliers, but it is possible that the breach will have much bigger ripples through the tech world impacting a number of other major names.
The TSMC data breach has been traced back to systems integrator Kinmax Technology, which lists a broad variety of other tech industry titans as clients: Cisco, Hewlett-Packard Enterprise, and Microsoft among them. Kinmax said that the attackers breached the engineering test environment and captured parameter information, but the full extent of damage remains unclear as the intrusion was only just detected on June 29.
Downstream data breach at TSMC causes loss of login credentials
LockBit has taken credit for the TSMC data breach and is demanding a $70 million payment to avoid leaking a variety of stolen information. The hacking group claims it has captured login names and passwords, along with assorted “points of entry” that other hackers might make use of to attack the hardware supplier’s network. TSMC says that the hackers did not make their way to its own client information, however.
Lior Yaari, CEO and co-founder of Grip Security, notes that the data that was exfiltrated from the hardware supplier is still quite valuable to attackers and potentially dangerous: “This breach is a great example of why machine identities are just as important as employee identities. Data is everywhere and accessed from anywhere by anybody. Companies who are able to secure employee and machine identities will be more secure than those that cannot. The securing of identities beyond the enterprise border to your suppliers or partners is increasingly important. Hackers are finding that smaller companies who partner with large companies are easier and more vulnerable targets to gain access to the final target.”
TSMC has not commented on whether it will pay the ransom, but did issue a statement indicating that it has cut off its data transfers with Kinmax. Kinmax said that it detected the original data breach on June 29, with the attackers stealing system installation preparation information (such as configuration files) for its customers. That would appear to indicate that any of Kinmax’s lengthy list of clients could be impacted, but the company issued a statement on June 30 claiming that its customers had not been hacked or damaged even as the hardware supplier was reporting its own downstream breach from the event.
This creates natural confusion and anxiety about the actual extent of the data breach, and an expectation that other Kinmax clients may discover their own downstream intrusions in the coming days. In addition to servicing hardware suppliers, Kinmax names some major cloud services and cybersecurity firms as clients including Checkpoint Research, Citrix, Fortinet and VMWare. At the moment, however, no other companies have come forward to report data breaches related to this incident.
The hardware supplier is thus far stating that the data breach will not impact its business operations, something that could be very disruptive to Apple. TSMC is the sole manufacturer of the Apple Silicon processors used in recent models of Mac computers.
Hardware supplier held to a very large ransom
Average ransom demands have skyrocketed in recent years, from the single-digit thousands of dollars in 2018 to the low millions of dollars (according to some studies) at present. Major players like LockBit tend to scale their demands to the victim’s expected ability to pay. TSMC, with its estimated market cap of $523 billion and position among the world’s most valuable companies, is at the high end of that scale. Threat actors are not afraid to demand ransoms in the tens of millions of companies in such positions; similar ransoms were recently asked of CNA, Acer and Kaseya among others.
Hopes are that the attack on the hardware supplier will not unfold similar to the recent run of third-party compromises that followed from the MOVEit attack. Cl0p, another leading ransomware gang, was behind that data breach and has been threatening victims (including big names across a broad variety of industries) in waves as the situation develops. Cl0p began its extortion threats in mid-June, but last week added Schneider Electric and Siemens Energy to the list of those that it is threatening with data leaks. It is still unknown exactly how many companies the group compromised with that breach, with an estimate of at least 2,500 systems online that were potentially vulnerable as of the public disclosure.
International law enforcement has shown more determination in going after major ransomware gangs that cause major damage, starting with the repeated attacks on critical infrastructure (something that crossed a “red line” that for-profit criminals were previously hesitant to approach) that made news in 2021. LockBit is one of the big groups that has managed to stay intact and highly active as rivals crumble under pressure. US officials noted it was the most commonly deployed ransomware worldwide in 2022, even as one of its members was picked up by police in Canada. Another arrest of a major affiliate was just made in the United States in June. The group is known to have been active against US targets since at least 2020 and has extorted a total of at least $91 million during that time.
LockBit is known to lead with email phishing, and Erich Kron (security awareness advocate at KnowBe4) points out that organizations can take immediate steps to curtail this avenue of attack: “The LockBit group’s successful use of email phishing to spread their malware should be a lesson to organizations of all sizes about how important it is to address both the technical and human sides of the social engineering threats we continue to see. Email gateways and filters are a great technical help, and employee education and training can make a significant difference when dealing with the messages that get passed the technology.”