NXP, the Europes 2nd largest semiconductor company has been compromised by Chinese threat actors for over 2 years according to Fox-IT security.
NXP is Europe’s second-biggest semiconductor company behind ASML and the world’s 18th largest chipmaker by market capitalisation.
The companies chips are used in iPhones and Apple watches to support advanced near-field communications (NFC) security mechanisms such as tag originality, tamper detection, and authentication for Apple Pay.
NXP also provides chips for the MIFARE card used by transit companies, FIDO-compliant security keys, and tools for relaying data inside the networks of electric vehicles.
The intrusion, by a group tracked under names including “Chimera” and “G0114,” lasted from late 2017 to the beginning of 2020 and allowed for the threat actors to be privy to any and all vulnerabilities in the chips being manufactured.
During the period in which the gang were inside the network in Eindhoven, they periodically accessed employee mailboxes and network drives in search of chip designs and other NXP intellectual property.
The breach wasn’t uncovered until the intruders were detected in a separate company network that connected to compromised NXP systems on several occasions.
Once inside a first computer—patient zero—the threat actors gradually expanded their access rights, erased their tracks and pivoted to the protected parts of the network.
The hackers secreted the sensitive data they found in encrypted archive files via cloud storage services such as Microsoft OneDrive.
According to the log files that Fox-IT analysed, the hackers came every few weeks to see whether new data could be found at NXP and whether more user accounts and parts of the network could be compromised.
Chimera has extensive experience in stealing data from a wide range of companies.
The threat actor uses a variety of means to compromise its victims. In the campaign that hit NXP, hackers leveraged account information revealed in previous data breaches of sites such as LinkedIn and Facebook.
The data allowed Chimera to guess the passwords that employees used to access VPN accounts. This allowed the threat actors to bypass multi-factor authentication by leveraging SIM swapping attacks on those devices associated with the accounts.
NXP did not alert customers or shareholders to the intrusion, other than a brief reference in a 2019 annual report. It read:
“We have, from time to time, experienced cyber-attacks attempting to obtain access to our computer systems and networks. Such incidents, whether or not successful, could result in the misappropriation of our proprietary information and technology, the compromise of personal and confidential information of our employees, customers, or suppliers, or interrupt our business. For instance, in January 2020, we became aware of a compromise of certain of our systems. We are taking steps to identify the malicious activity and are implementing remedial measures to increase the security of our systems and networks to respond to evolving threats and new information. As of the date of this filing, we do not believe that this IT system compromise has resulted in a material adverse effect on our business or any material damage to us. However, the investigation is ongoing, and we are continuing to evaluate the amount and type of data compromised. There can be no assurance that this or any other breach or incident will not have a material impact on our operations and financial results in the future.”
Another security firm – Cycraft – produced a report of a two-year hacking spree by Chimera that targeted semiconductor makers with operations in Taiwan, where NXP also happens to have research and development facilities.
An attack on one of the unnamed victims compromised 10 endpoints and another compromised 24 endpoints.
