A presentation at the Black Hat (virtual) Security Conference this week revealed details of a number of hacking operations aimed at the Taiwanese semiconductor industry. The Taiwanese security firm CyCraft presented details of its investigation at the conference. At least seven Taiwanese companies were penetrated in an attack CyCraft refers to as “Operation Skeleton Key,” due to the use of a “skeleton key” injector technique. While CyCraft has nicknamed the group Chimera, there’s evidence of ties to mainland China and possibly to government-sponsored hacking groups.
“This is very much a state-based attack trying to manipulate Taiwan’s standing and power,” Chad Duffy, one of the CyCraft researchers who worked on the company’s long-running investigation, told Wired. The sort of wholesale theft of intellectual property CyCraft observed “fundamentally damages a corporation’s entire ability to do business,” adds Chung-Kuan Chen, another CyCraft researcher who will present the company’s research at Black Hat today. “It’s a strategic attack on the entire industry.”
Last year, we covered a major malware problem involving Asus. The company’s software had been hijacked by malicious code inserted into Asus’ own software and pushed out by the company’s servers. What made these attacks interesting was that the software in question was clearly targeted at specific individuals. Once the malware was loaded on to a system, it checked the MAC address against a list of ~600 specific addresses before downloading additional payloads from a command and control server. This kind of sophisticated attack takes exactly the opposite approach of your typical zombie botnet, which seek to infect as many systems as possible. The Asus attack wasn’t a one-off and CyCraft has been tracking the digital fingerprints of the groups behind these assaults for several years.
CyCraft hasn’t disclosed the names of the companies who were hit by the attacks, but the intrusions show common fingerprints. The hackers gained access through compromising virtual private networks (VPNs), though it isn’t clear which methods they used to gain access. Once inside, they used a custom version of the pentest tool Cobalt Strike to upload malware posing as a Google Chrome update file. The teams went to great lengths to hide their work, never distributing malware that might tip security staff to their own existence in the network. According to Wired, the most distinctive tactic the hackers employed was to manipulate the penetrated domain controllers into creating a new password for every user in the system, thereby effectively injecting a skeleton key for themselves in the process.
Why Does CyCraft Believe It’s Tracking Mainland Chinese Hackers?
At one point, the Wired article explains, CyCraft white hats managed to intercept an authentication token for the malware command and control server. On the server was a “cheat sheet” that described how the group typically exfiltrated data from their victims. The document was written in Simplified Chinese using characters used on the mainland but not in Taiwan. The group also appeared to follow a traditional Chinese work schedule known as 9-9-6 (9 AM to 9 PM, six days a week) and they took holidays according to mainland China’s schedule — not Taiwan’s. This wouldn’t be enough to secure convictions in a court of law, but it passes the “If it waddles like a duck” test.
The ramifications of this kind of IP theft could be considerable — and they aren’t all to China’s benefit. Semiconductors aren’t just built from silicon. In the client foundry model, they’re also built on trust. Every single TSMC, Samsung, and GlobalFoundries customer has given the client foundry access to critical intellectual property. Nvidia has to be able to trust that TSMC isn’t going to sell information about its products to a rival firm.
Imagine a hypothetical situation in which AMD works with TSMC to implement a modified 5nm node for future Ryzen CPUs that improve their clock speeds by 200-300MHz compared with TSMC’s standard 5nm. At the same time, Intel expresses interest in building chips at TSMC on 5nm. Like any customer, Intel has target clock speeds and power consumption figures it wants to achieve. The IP AMD developed with TSMC for its own private use would dramatically improve the cost structure of the TSMC/Intel deal — but TSMC’s deal with AMD precludes sharing it with a rival. If AMD can’t trust TSMC not to use its work, AMD is going to find a different foundry partner.
The situation with China is higher-stakes than that. Here, it’s not just a question of competitive CPU standing, but the ability to find hardware flaws baked into silicon before a CPU is even released. While we don’t talk about it as a topic very often, hardware-level bugs are a problem that’s only getting worse as CPU transistor counts continue to climb.
“This is a way to cripple a part of Taiwan’s economy, to hurt their long-term viability,” Duffy says. “If you look at the scope of this attack, pretty much the entire industry, up and down the supply chain, it seems like it’s about trying to shift the power relationship there. If all the intellectual property is in China’s hands, they have a lot more power.”
There’s far more reporting today on IP and trade secret theft by China than there was a few years ago. It’s going to be interesting to see if Western countries remain as eager to work in China in the future as they have been over the last few decades.