An investigation by Taiwanese cybersecurity firm CyCraft revealed that Chinese hackers began waging an intense campaign of espionage against the Taiwanese semiconductor industry in 2018.
CyCraft’s findings are especially interesting in light of the semiconductor shortage inflicted by U.S. sanctions that might kill the smartphone division of Chinese telecom giant Huawei.
India Today touched on China’s thirst for semiconductors when it reported CyCraft’s findings on Thursday:
That China seeks to lead in the emerging semiconductor and chip-making industry is no secret, but a cybersecurity firm has now exposed a concerted Chinese effort across two years to hack into leading Taiwanese firms.
Taiwan’s semiconductor industry is the core of its economy even as China lags in the shadows. Owing to Taiwan’s early mover advantage and experience in the semiconductor industry, world leaders in electrical and electronic device manufacturing such as Samsung, Google, and Apple depend on Taiwanese firms to produce customised chipsets for their devices. It’s evident that replacing Taiwan in this spot is near impossible for China.
CyCraft gave a presentation at the 2020 Black Hat security conference, expanding on a report published earlier in August, that said Chinese hackers aggressively attacked at least seven major semiconductor vendors over the past two years, attempting to steal their software. Although the identity of hackers is often difficult to ascertain precisely, the report noted the enterprising semiconductor thieves were familiar with the Chinese written language and took breaks during Chinese national holidays.
According to CyCraft, it was uniquely positioned to detect this hacking campaign because it performed incident response activities on-site for several of the targeted companies, which it did not identify by name. CyCraft engineers were able to intercept communications between a virus-infected corporate network and a server controlled by the hackers, then infiltrate the hackers’ system to do a bit of spying on them.
CyCraft is Taiwan-based, and so are most of the big semiconductor firms, including the primary supplier of smartphone chips to China’s Huawei until recently, the Taiwan Semiconductor Manufacturing Company (TSMC).
The U.S. imposed sanctions against Huawei that blocked TSMC from selling the Kirin chips needed to manufacture its top-of-the-line smartphones. This week those sanctions were tightened to lock down most of the alternative suppliers Huawei was considering.
India Today reported that CyCraft’s presentation at the Black Hat conference was entitled “Taiwan High-Tech Ecosystem Targeted by Foreign APT Group” and included details of the malware injected into corporate computer systems in a bid to steal their proprietary data. (APT stands for Advanced Persistent Threat, the term employed by cybersecurity professionals to refer to hackers who work together as a group on a long-term basis, both privately and state-sponsored.)
The techniques and malware used in these efforts were similar enough for CyCraft to conclude a single group was behind the entire campaign. They were also similar to techniques employed by Chinese state-sponsored hackers in the past.
“The company’s findings include evidence that links the hackers to China and possible links to the Chinese state-sponsored hacker group Winnti, also known as Barium, or Axiom,” India Today reported.
Winnti is a hacking organization linked to Chinese intelligence that got its start in 2011 by injecting malware code into online video games, primarily those popular in South Korea. The name given to the group was derived from the name assigned to its signature piece of malware. Winnti’s code and techniques have been detected in subsequent attacks against numerous targets despised by the Chinese Communist Party (CCP), including Tibetan and Uyghur activists, along with a constant stream of corporate espionage capers.
CyCraft Global Product Manager Chad Duffy explained to India Today that semiconductor companies make attractive hacking targets because they have “high uptime requirements,” meaning they can’t shut their systems down frequently to perform security software updates or search for intrusions.
“Looking at the political motivations around it, there are strong suspicions that it’s a state-sponsored attack. We have been tracing a lot of cyberattacks of similar nature for a while now. We’re seeing a lot of patterns in the style of attack, the dates of the attack and the hours during which these are coordinated,” Duffy said, alluding to the observation that the semiconductor thieves did most of their hacking during standard work hours on the Chinese mainland.
“The hackers are also using sophisticated tools that point to state-backed machinery. It’s very seldom that an individual hacker or even a remote group will have this level of sophistication,” he added.
While some high-profile hacking attacks are actually rather crude and involve less code-manipulating “hacking” than one might expect — often it’s simply a matter of tricking employees of the targeted company into revealing their passwords or installing off-the-shelf malware — the semiconductor espionage campaign was very sophisticated, involving customized viral code planted in web browsers on corporate networks and a carefully hidden command-and-control server. The attackers employed powerful tools to crack password protection once they were inside a network or force the system to assign each account a secret additional password known only to the hackers, a technique called “skeleton key injection.”
CyCraft’s analysts, it should be noted, appear considerably more confident that the semiconductor hackers are linked to the Chinese government than most other professional observers. Other security firms have not ruled it out, or even deemed it unlikely, but they have said they don’t have enough firm evidence to declare a link to China. CyCraft said it was in possession of more evidence because it worked closely on-site with the targeted companies.