Ransomware attacks on semiconductor companies will have ‘detrimental impact’ on production capabilities, Recorded Future says

Recorded Future disclosed in a report that eight semiconductor companies have been attacked and extorted by ransomware actors since the start of this year. These attacks included using LockBit, LV ransomware, and Cuba ransomware and were carried out by extortion groups, including the Lapsus$ Group and RansomHouse. The report provides an analysis of the importance of the semiconductor industry and the role it plays in the increasingly complex geopolitical environment, apart from identifying the tactics, techniques, and procedures (TTPs) used by ransomware actors in their attacks.

“We believe that ransomware operators see semiconductor companies as high-value targets and leverage media coverage to apply pressure on the victim organization to negotiate and pay the ransom due to the importance of semiconductors to the global economy,” Recorded Future said in a post on Thursday. 

The report said that instead of a direct military confrontation, China is highly likely to conduct cyber warfare against Taiwan and the US, with semiconductor firms being a possible target. “We believe that China, Russia, and North Korea have the intention, capabilities, and political will to conduct cyberattacks against the US and its allies, specifically top semiconductor firms such as TSMC and Samsung. We expect cybercriminals to conduct cyberattacks not just against these semiconductor firms directly, but also against their partner companies, clients, and raw material suppliers.”

Recorded Future added that any delays or disruptions to the semiconductor industry in the current semiconductor chip shortage situation will have a detrimental impact on the production capabilities of industries across the globe and may result in worsening economic conditions worldwide. This, in turn, may also lead to future social unrest and political shifts due to economic hardship, which will serve the political, military, economic, and technological interests of nation-states such as China and Russia, it added.

Apart from analyzing the TTPs of each group and the possible motivations behind the attack, Recorded Future explored in its report the economic and strategic importance of the semiconductor industry and the crucial role it plays in the geopolitics of US-China/Taiwan, and the Asia Pacific region. The complex relationship could forebode cyberattacks against the semiconductor industry by cybercrime and state-sponsored groups in the near future.

In 2022, Recorded Future observed that both AMD and NVIDIA suffered a theft of data and extortion, respectively. AMD was attacked by the RansomHouse gang in January, and NVIDIA was attacked and extorted by Lapsus$ Group in March. “We also observed that semiconductor manufacturers including Samsung, Ignitarium, Diodes Inc., Etron Technology, SilTerra Malaysia Sdn. Bhd., and Semikron have been affected by ransomware attacks so far in 2022,” it added.

“Based on our research, we identified that attacks on semiconductor companies were not necessarily conducted by ransomware operators, but rather by their affiliates using the ransomware-as-a-service (RaaS) and double extortion models,” according to Recorded Future. “Most top ransomware gangs, including Conti, LockBit, and REvil, have adopted the RaaS business model, where the affiliates use readily available toolkits to execute ransomware attacks and earn a percentage of each successful ransom payment. RaaS enables threat actors without a high level of technical expertise to launch and execute their attacks.” 

The report also detected that all the ransomware gangs adopted the double extortion tactic where they leak victim data on their respective extortion blogs, suggesting that these ransomware groups were not successful in getting a significant number of victims to pay the demanded ransom. “This was the case for most of the victims analyzed in this report. We also identified threat actors threatening extortion but not using ransomware when targeting semiconductor firms. This shows that both more technical and non-technical threat actors who have the intention and the will are targeting semiconductor firms,” the post added.

As semiconductors are the hearts of electronic devices such as smartphones, computers, automobiles, appliances, televisions, and advanced medical diagnostic equipment, any disruption to the semiconductor sector would likely impact all other manufacturing sectors. 

Recorded Future revealed ransomware hackers adopted TTPs in their attacks against semiconductor companies. Among them are the use of malware to encrypt data, extortion through the threat of data exposure, the release of source code and intellectual properties, the use of stolen code-signing certificates to sign malware, and the possibility of selling proprietary data to industry competitors or rival nation-states.

The motives of ransomware threat actors range from being purely financially driven to thrill-seeking to the possibly strategic theft of intellectual property, Recorded Future reported. “While none of the cyberattacks against semiconductor companies analyzed here have direct connections to nation-state groups, industry reports uncovered state-sponsored threat actors masquerading as ransomware groups and using at least 5 ransomware variants — LockFile, AtomSilo, Rook, Night Sky, and Pandora — to conduct cyber espionage,” it added.

In most cases, poor security practices led to initial compromise by ransomware actors, which resulted in data and information theft. As the competition for semiconductor supremacy is at the heart of the economic competition between China and Taiwan, Recorded Future believes it is likely that cyberattacks and industrial espionage against semiconductor companies will continue.

The U.S. government does not currently define the semiconductor industry as being a critical infrastructure sector, and it is also not explicitly listed under the critical manufacturing sector. “But while the semiconductor industry may not be listed as a critical infrastructure sector as of this writing, with the growing recognition of its strategic importance, as well as the US government’s plan to support domestic chip production, we believe that there is a strong likelihood that the US government may classify semiconductor firms as a critical infrastructure sector in the future, which will serve as a new deterrent to prevent ransomware affiliates from targeting this industry,” the post added. 

Recorded Future also said that it believes that nation-state threat hackers may have already become affiliates with RaaS operators and are using different ransomware families to conduct cyberattacks with the main objective of stealing IP from semiconductor companies. By doing so, these nation-state threat actors can use readily available ransomware to encrypt and steal information and make the cyberattacks look like attacks from ransomware groups. 

As attacks on high-profile targets such as critical infrastructure and semiconductor firms draw public attention worldwide, threat groups often operate under the guise of anonymity, diverting attribution to ransomware groups instead. 

Last month, U.S. President Joe Biden signed a bipartisan bill to strengthen US competitiveness with China by investing US$52.7 billion in domestic semiconductor manufacturing and science research. The bill, titled the CHIPS (Creating Helpful Incentives to Produce Semiconductors) and Science Act of 2022, includes both investment and tax credits to encourage investment in semiconductor manufacturing.

Recorded Future said that fierce competition for semiconductor supremacy is at the heart of the geopolitical struggle between China and Taiwan and the entire Asia Pacific region, as China’s past advancement in semiconductors has already been linked to alleged espionage. “We do not rule out the possibility of nation-state involvement in these ransomware attacks on semiconductor companies. Furthermore, nation-states could also hide behind the facade of ransomware operators and their affiliates and are not likely to take responsibility for IP and data theft of semiconductor firms. Threat groups operating in the interests of nation-states, such as Bronze Starlight, have already utilized multiple strains of ransomware to encrypt, steal, or destroy IP data,” it added.

Last week, Recorded Future detailed the unique infrastructure used by the threat hacker group UAC-0113, which is linked with moderate confidence by the Computer Emergency Response Team of Ukraine (CERT-UA) to the Russian advanced persistent threat (APT) group Sandworm. The report focuses on the trends observed by Insikt Group while monitoring UAC-0113 infrastructure, including the frequent use of dynamic DNS domains masquerading as telecommunication providers operating in Ukraine, which shows the group’s efforts to target entities in Ukraine remain ongoing.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.