Semiconductor manufacturers are under the spotlight in a new report from BlueVoyant titled: “Semiconductors, the Supply Chain & Cyber Security 2021” (registration required). It goes on to say: “Semiconductor manufacturers do not adequately defend their systems from potential cyber-attack leaving an extremely critical supply chain vulnerable.”
With a relatively small number of companies dominating global semiconductor manufacturing, a problem with any one can have significant repercussions. Take Japanese company Renesas as an example. While it wasn’t hit by a cyber-attack, it has recently had a serious fire. It provides 20% of the semiconductors used by the automotive industry. The fire has shut down production and caused Toyota and Nissan to cut production due to a shortage of chips.
Renesas is just a small player in the global chip market. The three largest players in the third-party fabrication industry and their global market share are TSMC (50%), Samsung (18%) and GlobalFoundries (8%). These are just three of the companies whose cybersecurity posture BlueVoyant looks at in the report.
Attackers ramping up campaigns against semiconductor manufacturers
All 17 companies that BlueVoyant looked at showed persistent attempts to gain access to their infrastructure. Interestingly, attacks were not just about causing production shutdowns.
The report says: “92% of inbound malicious targeting went to three US-based fabless (design-only) semiconductor companies, indicating threat actor interest also lies in intellectual property theft — not just disrupting the manufacturing process.”
While BlueVoyant calls out IP theft, there is another reason for fabless facilities to be targeted. Intel has suffered a series of serious vulnerabilities in its chips over the last few years. It is wholly reasonable that malicious actors might seek to insert their code into the design. It would allow them access, at a later date, to any device using that microprocessor.
The report also highlights more traditional cyber-attacks. “A majority (88%) of entities also demonstrated targeting by known ransomware IPs and brute force attacks (94%).”
It is not the increase and type of attacks that surprised BlueVoyant. It says that there is a widespread lack of adequate protection against attacks and discovered:
- 94% of examined entities demonstrated open, at-risk ports.
- 24% showed evidence of open RDP port
- 24% demonstrated open authentication ports
- 18% had evidence of open datastore ports.
All of these provide attackers with a way into the organisation.
Poor patching and communication with known IoCs
This is not just about poor port security. There is a pattern of behaviour that causes serious concerns over security policies such as patching and checking outbound communications.
The study cites the case of TSMC, who suffered a WannaCry ransomware attack in 2018, 18 months after Microsoft issued a patch. The resulting infection shut down 10,000 machines and cost the company over US$170 million in revenue. Luckily, the downtime was just a single day showing that the company did, at least, have excellent cyber resilience.
Of greater concern is that BlueVoyant spotted outbound traffic from the majority of the semiconductor manufacturers to known blacklisted IoCs. It commented: “While a majority of this traffic was to establish botnet and phishing infrastructure, a small number of companies demonstrated traffic to known ransomware and malware IoCs.” BlueVoyant does go on to say this doesn’t determine compromise, but it is a strong indicator.
It is not just that connections to malicious IoCs could cause further infection of machines. Attackers could already be exfiltrating data from those targets. In a year when businesses have gone remote, it also raises the question as to how many of those machines were personal rather than business.
Enterprise Times: What does this mean?
Any business that does not think it is constantly under some degree of cyber-attack is fooling itself. Those attacks range from suspicious emails to attempts to login attempts using stolen credentials or brute force attacks. For cybercriminals, the supply chain has become a lucrative attack surface and not just because of the company it initially compromises. Island hopping from one company to another is on the rise. It allows an attacker to gain a foothold in a smaller partner before migrating to its primary target.
To discover that large players in a critical industry are as unprepared as this report shows is of extreme concern. It is not just the risk of a semiconductor manufacturer losing some production. Any disruption to their supply chain has a global impact, as demonstrated by the Renesas fire at the moment.
There is also a long-term concern here. Attackers compromising soft fabs can insert malicious code into chip designs. It allows them to launch attacks at some future point when that microprocessor is in production with multiple companies. The impact of such an attack is very real and of great concern across the whole cybersecurity industry.