Close-up of CPU chip showing AMD data breach information on hacking forum

Hacking Forum Leak Sparks AMD Data Breach Investigation, Third-Party Vendor Found at Fault

A leak on a hacking forum that exposed internal AMD data appears to have been confirmed by the company, as it acknowledged that an unnamed third-party vendor involved in product assembly was breached. Questions remain about the extent of the data breach, however, as AMD has not yet confirmed the inclusion of customer or employee information but does not expect it to cause a material business impact.

A sample of the data breach was posted to tenacious underground forum BreachForums, which was recently raided by law enforcement and thought to be on the ropes. That sample did include what appeared to be internal AMD production information, but hacker IntelBroker had claimed that the data set also included employee and customer databases as well as financial information.

Third-party vendor appears to be source of AMD data breach

The data breach became public knowledge on June 18, when IntelBroker posted about it on the underground hacking forum. AMD’s most recent report on the issue characterizes the damage as “limited” but also says that it is working with law enforcement to determine the full impact.

AMD’s statements have implicated an unnamed third-party vendor, and it says that the “limited amount of information” that was stolen is centered on production materials. The company was not any more specific than that, but the samples posted to the hacking forum do appear to corroborate that story.

Claims on hacking forum have yet to be fully proven out

While the data breach is confirmed by AMD at this point, questions remain whether InfoBroker stole the full range of data that they are claiming on the hacking forum. The picture is muddied by the very recent raid on BreachForums, which led to arrests of key figures and seizure of a good deal of architecture. In the wake of such major international actions, cyber criminal enterprises usually see a mass exodus of customers. One of the common tactics to bring customers back is to claim some very juicy data breaches are available to buyers, often by either overstating what’s available or entirely making things up. It is also possible the data sale is an attempt at a rugpull as the forum spins down after its compromise by authorities.

In a follow-up post IntelBroker has since claimed that an employee database was stolen that contains job descriptions and employment information connected to business phone numbers and email addresses. Security researcher analysis of these particular samples has shown that the ones listed are labeled as “inactive,” or likely former employees who may have outdated contact information. There is also not yet any word on what customer information might have been stolen. Whether or not the claims are legitimate, the focus of the sale does seem to be items like source code and development details of future products.

The incident was accompanied by a claim that IntelBroker had also hacked Apple and obtained the source code for some of its tools: AppleConnect-SSO, Apple-HWE-Confluence-Advanced, and AppleMacroPlugin. The code was released for free to members of the hacking forum, lending credence to the idea that all of this is a marketing exercise to coax wary clients back. Apple has not yet confirmed a data breach.

Almost exactly two years ago AMD was hit by another ransomware group, a smaller but still currently active ransomware-as-a-service (RaaS) operation calling itself RansomHouse. That group also claimed to have stolen data from AMD, in that case about 450 GB worth, but the details of exactly what was taken were similarly unclear. The group claimed that it had penetrated the AMD network by finding employee accounts that had passwords such as ”password,” “123456” and “Welcome1.” As with the current incident, AMD claimed that the hackers did not steal as much information as they claimed. The stolen data has yet to appear on the dark web, but it is not uncommon for data that is sold privately to stay out of the public eye for years before it is eventually dumped somewhere due to lack of ongoing value. Nevertheless, the incident raised questions about AMD’s cybersecurity and prompted the company to make substantial improvements to its network.

It is known that InfoBroker is a legitimate and established hacker with a number of prior data breaches of high-profile targets under their belt. The hacker is one of the operators of the BreachForums hacking forum, and has remained on the loose and kept the site functioning even as at least one of the other main operators was arrested and substantial infrastructure was seized in May.

The hacking forum now has a history of being up for about a year, being raided, and reforming under a new name (and sometimes adding new operators). Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, notes that confirmation of the full scope of the data breach is necessary given these questionable circumstances: “If possible, AMD should try to confirm if the data is truly from the claimed breach. Most of the time, hacker claims are truthful and accurate. But there have been more than enough false claims over the years that no company or person can simply trust what a malicious hacker is saying.”

“So, step one is confirmation. Step two, if the data is confirmed as belonging to AMD, is to see if there is anything the company can do legally to prevent the information from being sold and disseminated. Often there is nothing a company can do, but sometimes publishing sites can be convinced to take down the stolen data. Step 3, if the data is real, is to notify impacted people or companies in a timely manner. Step 4, if the data is real, is to give impacted employees or customers (costless) ways for them to monitor for unauthorized use of the information. Step 5, is to determine how the information was stolen (i.e., social engineering, unpatched software or firmware, etc.) and to implement mitigations to prevent data loss from happening again,” added Grimes.