What is the evidence that Chinese government hackers are strategically stealing information from Taiwan's semiconductor industry?



CyCraft , a Taiwanese cybersecurity firm, has published its findings on hacking attacks on Taiwanese semiconductor companies across the past few years. The company believes that a series of attacks involve Chinese government-based hacking group Winnti (aka Barium, Axiom).

Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry | WIRED
https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/

Chinese hackers have pillaged Taiwan's semiconductor industry | Ars Technica
https://arstechnica.com/information-technology/2020/08/chinese-hackers-have-pillaged-taiwans-semiconductor-industry/

CyCraft is collaborating with Forum of Incident Response and Security Teams , a research group that elucidates the cause of computer and network problems and investigates the extent of their impact, in response to a series of hacking attacks on semiconductor companies in Taiwan. We conducted a survey on According to the research team, at least seven semiconductor companies have been hacked in the last two years, and some were headquartered in the Hsinchu Industrial Park called 'Silicon Valley of Taiwan'.

It has been found that in some cases the tactics for these hacks were common. The hacker first sends a malware through a VPN, disguised as a Google Chrome update file. Regarding the method of passing through the VPN to send in, it is unknown whether the VPN credentials were obtained somehow or the vulnerability of the VPN server was used, but for the method of disguising malware as an update file of Google Chrome It is known to have used the tool 'Cobalt Strike' used. The disguised malware uses a C & C server hosted by Google or Microsoft's cloud service, so the communication itself was difficult to detect as an abnormality.

Next, the hacker attacks the password-protected database with cryptographic hash using the sent malware, and centrally manages the access rights to user accounts and computers in the network environment such as LAN `` domain controller Invades. Add a 'new password' to all users in memory of the domain controller using a custom program that combines the code of the hacking tools Dumpert and Mimikatz. This new password will allow you to log in to any user account. This trick is called the 'skeleton key.'



In April 2020, CyCraft published a report (PDF file) that Taiwanese semiconductor companies are being hacked by skeleton keys, but in August 2020 the announcement was ``A series of hacks We presented several evidences that can be presumed to be the 'crime of Chinese government hackers.'

The research team traces the hacker group stealing data from the victim's network, intercepts the authentication token used for the crime, and uses this authentication token, the ``hacking guidebook'' that the hacker group had in the cloud server Get. Analysis of this guidebook revealed that the characters that were written were ' simplified characters ' that were used in mainland China but not in Taiwan. In addition, the hacker group is working on a schedule called `` 996 work system '', ``work at 9 am, leave at 9 pm, work 6 days a week'', and I was absent from holidays on mainland China. It turned out.

The most prominent of these situational evidence is the existence of the 'backdoor program' used by the hacker group. This backdoor program was similar to that used by mainland China-based hacker group 'Winnti'. Winnti has been active since at least 2012 and is known to have installed software such as CCleaner and ASUS LiveUpdate, as well as a large Trojan in the video game industry. It has also been discovered in recent years that it has targeted universities in Hong Kong.

Winnti Group's new attack on Hong Kong university | Malware Information Agency
https://eset-info.canon-its.jp/malware_info/trend/detail/200304.html



'By working with intelligence agencies in Taiwan and other countries, it was discovered that hacker groups using similar techniques were also attacking government agencies in Taiwan,' CyCraft said. CyCraft's Chad Duffy, who has worked on this study for a long time, said that China is doing a big hack on its neighbors, but Taiwan's semiconductor companies are especially dangerous. He pointed out the risk that 'vulnerabilities of devices with embedded semiconductors could be discovered before release' due to the stolen IC chip circuit diagrams, source code, software development kits, etc.

'The series of attacks are damaging parts of Taiwan's economy and threatening its long-term viability,' Duffy said of the potential for stolen information to benefit Chinese semiconductor companies. Mentioned. He said a Chinese government hacker is launching a strategic attack on Taiwan's semiconductor industry.

in Security, Posted by darkhorse_log