Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry

Published by WIRED.COM

Summary generated on August 10, 2020

    Existential conflict with China for its entire existence and has been targeted by China's state-sponsored hackers for years.

    An investigation by one Taiwanese security firm has revealed just how deeply a single group of Chinese hackers was able to penetrate an industry at the core of the Taiwanese economy, pillaging practically its entire semiconductor industry.

    At the Black Hat security conference today, researchers from the Taiwanese cybersecurity firm CyCraft plan to present new details of a hacking campaign that compromised at least seven Taiwanese chip firms over the past two years.

    While CyCraft has previously given this group of hackers the name Chimera, the company's new findings include evidence that ties them to mainland China and loosely links them to the notorious Chinese state-sponsored hacker group Winnti, also sometimes known as Barium, or Axiom.

    The researchers found that in at least some cases, the hackers appeared to gain initial access to victim networks by compromising virtual private networks, though it wasn't clear if they obtained credentials for that VPN access or if they directly exploited vulnerabilities in the VPN servers.

    The hackers then typically used a customized version of the penetration testing tool Cobalt Strike, disguising the malware they planted by giving it the same name as a Google Chrome update file.

    From their initial access points, the hackers would attempt to move to other machines on the network by accessing databases of passwords protected with cryptographic hashing and attempting to crack them.

    Whenever possible, CyCraft's analyst say, the hackers used stolen credentials and legitimate features available to users to move through the network and gain further access, rather than infect machines with malware that might reveal their fingerprints.

    The most distinctive tactic that CyCraft found the hackers using repeatedly in the victims' networks was a technique to manipulate domain controllers, the powerful servers that set the rules for access in large networks.

    With a custom-built program that combined code from the common hacking tools Dumpert and Mimikatz, the hackers would create a new authorized user in the domain controller's memory, a trick known as skeleton key injection.