Taiwan has faced an existential conflict with China throughout its existence and has been under attack for years by China's state-sponsored hackers. However, an investigation by a Taiwanese security company has revealed how deeply a single group of Chinese hackers could penetrate an industry at the core of the Taiwanese economy and loot virtually the entire semiconductor industry.
At today's Black Hat security conference, researchers from Taiwanese cybersecurity company CyCraft plan to reveal new details of a hacking campaign that has compromised at least seven Taiwanese chipmakers in the past two years. The series of deep interventions – called Operation Skeleton Key because the attackers used a "Skeleton Key Injector" technique – appeared to be aimed at stealing as much intellectual property as possible, including source code, software development kits and chip designs. And while CyCraft previously named this group of hackers Chimera, the company's new findings contain evidence linking them to mainland China and loosely related to the infamous Chinese government-sponsored hacking group Winnti, sometimes known as Barium or Axiom , connect.
"This is largely a government attack that seeks to manipulate Taiwan's reputation and power," said Chad Duffy, a CyCraft researcher who worked on the company's long-standing investigation. The type of wholesale intellectual property theft that CyCraft has observed "is profoundly affecting a company's overall business ability," added Chung-Kuan Chen, another CyCraft researcher who will present the company's research at Black Hat today. "It's a strategic attack on the entire industry."
The CyCraft researchers declined to tell WIRED the names of the victim companies. Some of the victims were CyCraft customers, while the company analyzed other intrusions in collaboration with an investigation team known as the Forum of Incident Response and Security Teams. Several of the semiconductor company's victims were headquartered in the Hsinchu Industrial Park, a technology center in the northwestern Taiwanese city of Hsinchu.
The researchers found that at least in some cases, compromising virtual private networks gave the hackers initial access to victim networks, although it was not clear whether they had obtained credentials for this VPN access or directly exploited vulnerabilities in the VPN server. The hackers then typically used a customized version of the Cobalt Strike penetration testing tool to disguise the malware they had planted by giving it the same name as a Google Chrome update file. They also used a command and control server hosted on Google or Microsoft's cloud services, which makes it harder to identify the communication as abnormal.
From their initial access points, the hackers would try to switch to other computers on the network by accessing databases with passwords protected by cryptographic hashing and attempting to crack them. According to CyCraft analysts, instead of infecting computers with malware that may reveal their fingerprints, the hackers have used stolen credentials and legitimate features available to users to move around the network and gain further access where possible.
However, the most distinctive tactic CyCraft used to repeatedly use the hackers in victim networks was a technique to manipulate domain controllers, the powerful servers that set the rules for access in large networks. Using a specially designed program that combined code from the popular hacking tools Dumpert and Mimikatz, the hackers would add a new, additional password to each user in the domain controller's memory – the same for each user – a trick known as Skeleton Key Injection becomes . With this new password, the hackers would have secret access to machines across the company. "It's like a skeleton key that you can go anywhere," says Duffy.
CyCraft tacitly released most of these findings on Operation Skeleton Key in April of this year. However, his Black Hat talk aims to add several new insights that will help tie the hacking campaign to mainland China.
Perhaps the most notable of these new leads was the hackers' hacking. CyCraft researchers observed how the Chimera group filtered out data from a victim's network and intercepted an authentication token from their communication with a command and control server. With the same token, CyCraft analysts were able to search the contents of the cloud server, which contained what they referred to as the "cheat sheet" for the hackers, and outline their standard operating procedures for typical interventions. Specifically, this document is written in simplified Chinese characters that are used in mainland China but not in Taiwan.
The hackers also appeared to be operating largely within Beijing's time zone, following a "996" work schedule – the Chinese tech industry's six-day-a-week regime, from 9 a.m. to 9 p.m. – and around the Chinese holiday season Mainland to begin. Finally, CyCraft says that from working with Taiwanese and foreign intelligence agencies, they learned that a group of hackers using similar techniques is targeting Taiwanese government agencies as well.
Most revealing, however, was the presence of a multi-victim network backdoor program previously used by the Winnti group, according to CyCraft, a large collection of hackers that have been operating for over a decade and are widely believed to be their home have mainland china. In recent years, Winnti has become known for performing a mix of what appears to be government-sponsored hacking, which is in line with China's interests, and for-profit criminal hacking, which is often targeted against video game companies. In 2015, Symantec discovered that Winnti was apparently also using skeleton key injection attacks, such as those used by CyCraft against the Taiwanese semiconductor companies. (CyCraft notes that it is still not certain that Chimera is actually Winnti, but believes this is a likely possibility.)
"Fragment of a larger picture"
Kaspersky, who first spotted and named the Winnti group in a 2013 study, linked the group to an attack last year that hijacked the update mechanism for computers sold by Asus in Taiwan. According to Costin Raiu, director of Kaspersky's Global Research & Analysis Team, Winnti is responsible for other attacks on a wide range of Taiwanese companies beyond the semiconductor manufacturers CyCraft focuses on, from telecommunications companies to technology companies.
"It's possible that what you see is just a small fragment of a larger picture," says Raiu. Winnti is not unique among China-affiliated groups when it comes to widespread targeting of Taiwan, Raiu adds. But he says that Winnti's innovative tactics, like hijacking Asus' software updates, set them apart.
Despite China's mass hacking of its island neighbor, CyCraft's Duffy argues that the semiconductor industry is a particularly dangerous target. Theft of chip circuit diagrams could potentially enable Chinese hackers to more easily find vulnerabilities hidden in computer hardware. "If you have a really deep understanding of these chips at a schematic level, you can run all kinds of simulated attacks on them and find vulnerabilities before they're even released," says Duffy. "When the devices hit the market, they were already compromised."
CyCraft admits that it cannot determine what the hackers are doing with the stolen chip design documents and code. And the more likely motivation for the hacking campaign is simply to give China's own semiconductor manufacturers an edge over their rivals. "This is a way to cripple part of the Taiwanese economy and affect its long-term viability," says Duffy. "When you look at the scope of this attack, pretty much the entire industry down the supply chain, it seems like it's about shifting the balance of power there. When all of the intellectual property is in China's hands, they have a lot more power . "
This story originally appeared on wired.com.