The Chinese hacking group Chimera had access to NXP systems for more than two and a half years. The Dutch company is one of the largest manufacturers of semiconductor electronics and their chips can be found in many products. NXP is the largest chipmaker for the automotive industry, and is the most renown chipmaker in Europe. The value of the company is estimated at 52 billion US dollars.
The company also makes Mifare chips for public transport cards and chips for contactless payments via Apple Pay.
The attack dates back to mid-2017 and went undetected for more than two years, until 2020. During this period, the attackers had unhindered access to the data and computer systems of the Dutch manufacturer.
Intellectual property, including chip designs, was stolen during the attacks. There is currently no data on what was stolen. NXP says the attacks caused no material damage. This is usually not the case with intellectual property theft. However, NPX says the data is complex and replicating the designs is not as straightforward as one would think.
NXP was not transparent about the attack
The NXP breach would never have become public if the attack on Dutch airline Transavia had not been revealed. The investigation revealed that the attackers accessed Transavia’s systems back in September 2019. The attackers tried to gain control over the systems for making reservations. Transavia discovered the attack on October 21 and filed a report with the Dutch Data Protection Agency. Security experts from Fox-IT were called in to help deal with the attack.
Additionally, communication over IP from NXP was detected. Thanks to this, the attack on NXP was discovered. Fox-IT discovered that the attackers accessed Transavia from an IP address located in Eindhoven, where NXP’s headquarters are located.
Two years ago
As soon as they made the discovery, they called the security experts from Fox-IT. The investigation began in January 2020.
NXP shares are publicly traded and the company had to share with investors that it was the victim of a hacking attack. The data on the hack was added to the 2019 report, but with no additional data about how serious the attack was. The report stated that the attack was unlikely to have an impact on financial operations, and that they were working to that end. What was missing was any word on the attackers’ smooth operation of the network for years. No info was added to the reports of the following years as well.
NXP and Fox-IT together with Microsoft “cleaned” the systems one by one. Security experts feared what might happen if the hackers found out they had been discovered. Fox-IT worked on this until April 2020.
How the Chimera managed to break through the protection
The attackers were able to find login credentials that were previously published. According to the announcement of the NRC, they found data from Facebook and LinkedIn, and hacked the passwords by brute force. At first, hackers used exclusively employee profiles to log into company systems. When NXP introduced dual login authorization, attackers just added alternate phone numbers.
Once they managed to get into the first computer, the attackers continued to explore the network. they dug far and deep and patiently collected data from the NXP servers. From time to time, every few weeks, they checked for new data and “uploaded” it encrypted to online storages such as OneDrive or Dropbox.
Hackers’ modus operandi is also clear: once large amounts of data are collected, such as data from mailboxes or network drives containing confidential information, the files are first compressed, encrypted and prepared to be copied via cloud services such as Google Drive, Microsoft One Drive and Dropbox. All this without being noticed. Hence the name of the Fox-IT research blog post: Abusing cloud services to fly under the radar
There are several pieces of information that have led experts to suspect Chinese espionage. The attacks first come at a time when the same group attacked systems at several Taiwanese chipmakers. Attackers looked for chip designs and software. Taiwanese security experts CyCraft have named the group Chimera. They got their name from ChimeRAR, the software the group uses to steal data. The same tool was used in the attack on NXP. At the same time, the attacks took place during “Chinese working hours”.
After detecting the attack, NPX took measures to improve protection. Now, they monitor the flow of data and limit access to data in the network. Of course, not everyone is impressed by the measures taken after the attacks.
‘Another reminder: investing into your cyber program *after the breach* isn’t risk management; it’s PR. Relying on periodic audits and compliance reports to manage your enterprise risk is busy work devoid of meaning. Letting an attacker live in your networks for over two years, with all the technology at our disposal today, is tough to defend, especially for an environment containing highly sensitive, national security-level data.’ – says the security expert Igor Volovich in a post on LinkedIn.
One of the problems, of course, is that the Chimera hackers managed to steal enough data about the development of the chips; we’re talking about an intellectual property. The second and probably bigger issue that could rise in the future is “Have hackers succeeded in setting up backdoors in electronics?”. So far there is no confirmation of this, but two and a half years is a very long time, so this would not be too strange.