Digital skeleton keys can bypass security measures, allowing hackers unfettered access.
SEMI Benefits From CyCraft
CyCraft and several other SEMI members have been in detailed talks over what may be one of the most influential SEMI documents of the 21st century – SNARF 6506: New Standard Specifications for Computer System Security of Fab Equipment.
Members agree SEMI needs an extensive overhaul and modernization of its cybersecurity; however, ICS networks and endpoints provide a wide range of unique challenges.
“Hardware diversity and high availability are some of the main concerns of ICS. PLC’s don’t offer the same computing environments as full operating systems, leading to different approaches to security than we see in office IT environments, and upgrading every OS patch could cost companies millions of dollars in downtime – which isn’t an option given the industry’s competitive environment.” – Chad Duffy, CyCraft Global Product Manager
As we provide MDR services to members of the SEMI community, we were at ground zero when our customers in the semiconductor industry were targeted by a year-long sophisticated cyberattack campaign.
We encourage all SEMI members who have already begun the extensive process of upgrading and modernizing their ICS networks and endpoints in preparation for SNARF 6506 to hunt for and avoid these cyber threats in 2020.
The Year-Long Cyberattack Campaign
While Hubei Province was dealing with the sudden outbreak of COVID-19 in late 2019, it was revealed that multiple organizations along Taiwan’s high-tech ecosystem were victims of an advanced persistent threat (APT) attack , which originated in the semiconductor industry and still continues to be a threat today.
APTs are professional cyber espionage actors that typically receive direction and support from nation-states and often target organizations with high-value information, such as national defense, financial, energy, or now, the manufacturing of semiconductors.
Due to these APT attacks having similar behavior profiles (similar adversarial techniques, tactics, and procedures or TTP) with each other and previously documented cyberattacks, we assess with high confidence these new attacks were conducted by the same foreign threat actor, which we dubbed Chimera.
From VPN to Data Exfiltration, in Minutes
As more organizations are under work-from-home lockdown conditions, the attack surface for Chimera was expanded, as they thrive on exactly this type of environment.
During our research into several cyberattacks during their year-long and still ongoing campaign, Chimera gained initial access to the organization’s systems by abusing VPN policies. While VPN encryption is extremely beneficial, it can open up unintended security holes.
As Chimera was able to take advantage of the fact that VPNs allow direct access into an organization’s internal network, they were also able to bypass preventive security measures, such as firewalls for one. Once inside your system, even the lowest-skilled cybercriminals are capable of inciting a business altering event. Unfortunately for the victims, Chimera was highly sophisticated and fast.
Within minutes, Chimera was able to inject malware that would allow for a digital skeleton key. With this key, Chimera gained unfettered access to all machines within their Windows domain, bypassing login security measures with ease–a true security nightmare.
Chimera would then quickly locate and exfiltrate intellectual property, such as documents on integrated circuits (IC), software development kits (SDKs), IC designs, source code, etc. Once proprietary data had been exfiltrated, Chimera wouldn’t necessarily leave. In some systems, Chimera even retained unfettered access for almost a year.
Growing Cyber Threat Amid COVID-19 Pandemic
While our managed detection and response (MDR) customers were able to quickly detect and stop the sophisticated targeted attacks of Chimera, organizations outside of our protection got hit hard. For these organizations, we offered our post-intrusion incident response (IR) service which was able to eradicate all traces of malicious activity and help remediate and harden their system defenses. Chimera won’t be getting in again–ever.
Unfortunately, due to the global COVID-19 pandemic, there has been a sudden spike in remote environments across the world. In March of 2020, The Wall Street Journal reported that equipment makers were grappling to meet demand. Home endpoints are less secure than internal desktops, and now, there are millions of more home endpoints out there.
Organizations inexperienced with remote workforce security may simply rely on preventive security measures; however, as we have seen with Chimera, cybercriminals are more than capable of bypassing preventive security solutions even when VPNs are used.
These are dangerous times–both physically and digitally. We strongly urge organizations to employ detection and response security solutions, such as our CyCraft AIR Cloud Platform, to guarantee cyber resilience.
Gain Cyber Confidence, Join the CyCraft Community
When you join the CyCraft Community, you will be in good company. CyCraft secures government agencies, Fortune Global 500 firms, top banks and financial institutions, critical infrastructure, airlines, telecommunications, high-tech firms, and SMEs.
Learn why our global customers have joined our rapidly growing CyCraft Community and have stayed.
Additional Related Resources
- Check out our MITRE ATT&CK results, where we are #1 in the industry for alerted detections and general, tactic, and technique detections.
- Has your organization recently shifted to a Work From Home environment? Learn how to receive three FREE months of our Secure From Home services.
- Our Enterprise Health Check drops your mean dwell time down from 197 days to under 1 day. Know with confidence if cybercriminals have penetrated your enterprise.
- CyCraft CEO, Benson Wu, and CyCraft Global Project Manager, Chad Duffy, speak on the latest MITRE ATT&CK Evaluations. Read their thoughts on our results and the philosophy powering CyCraft.