A supply chain attack on a business partner of semiconductor giant Applied Materials will cost the company $250 million in the coming quarter. The company did not specify which partner was hit by the ransomware attack, but said that the incident would disrupt upcoming shipments.
It is possible that MKS Instruments, an industrial equipment supplier, was the breach point of the supply chain attack as that company announced that it had been hit with ransomware on February 3 and would have to reschedule its fourth quarter earnings call. Applied Materials has not commented on this as of yet other than to say it was a “major” supplier.
Supply chain attack takes a quarter million dollar bite out of Applied Materials
MKS Instruments has issued a statement saying that it continues to recover from its ransomware attack, and that the Vacuum Solutions and Photonics Solutions divisions were impacted. The company said that processing and shipping of orders may be delayed and that it is still determining if its insurance covers the ransomware attack, with more news to come on its rescheduled February 28 earnings call.
If MKS was indeed the source of the supply chain attack, the whole incident is likely attributable to the recent global campaign against VMware ESXi servers that has been targeting established but unpatched vulnerabilities. The incident has hit at least 3,200 servers around the world, primarily exploiting an SLP vulnerability that was patched in 2021. The attackers have not yet been identified, but security analysts have reported that they are not sophisticated in their hacking techniques but are highly organized in targeting of vulnerable servers and shaking down victims. The attackers have been following up with ransomware, and additionally exfiltrating data and threatening victims with the exposure of it.
Monti Knode, Director of Customer Success with Horizon3.ai, observes that the MKS handling of the announcement is noteworthy even if it somehow turns out that the company is not the source of the supply chain attack: “It’s interesting that MKS called out “had a material impact”, almost like they had to announce and clarify that a cyberspace attack could and did have a tangible outcome. We’re seeing this realization more in both public and private industry, especially in our Department of Defense which viewed as cross-domain operations; Russia has been doing this for years, and now the world is seeing it live in Ukraine and even here in the US (ref). The days of presuming this to be an IT or cybersecurity problem are long gone.”
Ransomware attacks on semiconductor industry can lead to widespread and severe consequences
Industrial control systems, banks and hospitals are usually the first things people think of in terms of the most damaging ransomware attacks. The semiconductor industry is quietly just as vulnerable a target with just about as much potential to cause widespread chaos when it is compromised.
The industry fielded at least eight major ransomware attacks in 2022, just as countries began making it a prime national security focus and began passing serious legislation to decouple from China and Taiwan as the virtual sole global sources of chips. The US, Japan, South Korea and portions of the EU are all now eyeing a restoration of long-abandoned domestic production, and other countries have announced plans to move operations to places with smaller but already established production capacity like India and Thailand.
Ted Miracco, CEO of Approov, foresees this new strategic focus as an invitation to criminals looking for ransomware targets that cannot afford to have their systems crippled for long: “With the ongoing “Chip War” between the US and China, we should expect more disruptions like this in the future, and quarterly earnings should be the least of our concerns. These attacks on the semiconductor supply chain deserve a lot more attention than the latest balloon incidents.”
Some of the biggest ransomware groups put the semiconductor industry in their sights in 2022, and supply chain attacks are a favored point of entry as they are usually where the most lax security practices are found. All types of electronic equipment are already dependent on these components to some degree, and this dependence is only expected to deepen as 5G continues to roll out and all sorts of everyday tasks (from medical procedures to transportation) integrate functions with it.
These incidents also demonstrate the degree to which organizations are still facing serious threats from supply chain attacks. Software partners have been a major focus for criminals as of late, and one of the areas of growth in recent years. Advanced hackers focus on upstream service providers, looking to slip compromising malware into trusted updates to penetrate hundreds or thousands of organizations all at once. They are also taking a closer look at ways to wiggle into open source software components that thousands to millions of organizations around the globe rely on.
But supply chain attacks are also still sometimes a case of focusing on the perceived weakest link among outsiders that have privileged access to a specific bigger fish’s internal network. Organizations usually have little direct ability to influence the security practices of their business partners, and must instead do their due diligence on the company’s security reputation and ensure that key terms are in place in contracts. Incidents such as this ransomware attack demonstrate that there is still plenty of wiggle room for threat actors to exploit in these agreements.
An early 2023 report from the US-based non-profit Identity Theft Resource Center (ITRC) found that compromises from supply chain attacks impacted 10 million people in 2022, as compared to 4.3 million impacted by malware. These attacks are the primary cause of data breaches in which sensitive personal information is stolen, and social engineering was the most common shared component of them.
