A hacker group linked with China allegedly infiltrated the corporate network of Dutch semiconductor manufacturer NXP Semiconductors from late 2017 to spring 2020. According to a report from the Dutch newspaper NRC, these malicious actors primarily targeted email inboxes and chip designs. The entry point seemed to be user accounts typically used by NXP employees to access the company network via VPN.
The attackers apparently acquired access credentials through a combined approach of leveraging information from previous data breaches and conducting brute-force attacks on passwords. Despite NXP having two-factor authentication linked to respective accounts via phone numbers, the hackers purportedly found a way to bypass this security measure.
Data Breach via Cloud Services
Once inside the NXP network, the hackers, as per the NRC report, compressed and encrypted internal data, using cloud storage services like Microsoft OneDrive, Google Drive, and Dropbox for exfiltration. Log files revealed periodic visits by the attackers every few weeks to retrieve new data and take control of additional user accounts.
The detection of the cyberattack on NXP reportedly occurred due to another attack on the airline Transavia. Investigations at Transavia revealed a connection to IP addresses in Eindhoven, the Dutch city housing NXP’s headquarters. Consequently, investigations were initiated at the semiconductor manufacturer.
Tracing the Trails to China
The attack is believed to be orchestrated by the Chinese hacker group Chimera. Their name derives from the malicious software they used, called Chimerar, to establish connections with target systems and pilfer data. A notable characteristic of Chimera, according to NRC, is the password typically used by the hackers to encrypt the stolen data: “fuckyou.google.com.”
The link to China is evident through various means, including the hackers’ activity times. “The log files spanning over two years indicate work hours aligning precisely with Chinese time zones, including a break around noon,” as stated in the NRC report. Sundays typically saw no activity from Chimera, and during Chinese holidays, the attackers were scarcely or not active at all.
In 2020, NXP saw no reason to alert its customers about the impact of the breach. They emphasized that chip production involves more than just the accessed chip designs and requires specialized knowledge to actually manufacture the semiconductors. This knowledge is stored in “other locations.”
READ MORE: Blue Origin’s New Glenn Rocket to Carry NASA Satellites on Maiden Flight
