Anyone else remember when Colonial Pipeline was attacked? The "ransomware as a service" platform[0] stepped in to say "oops, sorry, never mind" when they realized they'd attracted more attention than they were prepared for[1]:
> We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.
> Our goal is to make money and not creating problems for society.
> From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.
This one isn't causing immediate disruptions to regular people in the US, but it's still geopolitical-level meddling. If you want to run around mugging people, it's best to avoid robbing the police chief's best friend.
>LockBit targeted TSMC through one of its suppliers, Kinmax Technologies, an IT services provider specializing in networking, cloud computing, storage, security, and database management.
I'm curious what the real goal is with demands like this.
Surely, given the size of the demand, it is beyond the authority of TSMC to pay up, even _if_ they wanted to?
I imagine governments and authorities with any sort of stake in what could possibly be done with such a sum of money (it's unlikely to be used for Good, right?) would have an oversized say in whether or not they are allowed to pay it?
Is there recent precedent for ransoms of this size being paid?
What kind of data could they actually have "stolen" that's worth TSMC paying up $70M, rather than just writing it off?
TSMC is the largest semiconductor manufacturer in the world and they have technology and manufacturing processes literally no one else has. As of right now their market cap is roughly $500B. Surely they hold information that's worth more than $70M.
>“Upon review, this incident has not affected TSMC’s business operations, nor did it compromise any TSMC’s customer information. After the incident, TSMC has immediately terminated its data exchange with this concerned supplier in accordance with the Company’s security protocols and standard operating procedures,” the company’s spokesperson told Cybernews.
A cyber ransom demand at one of the most important companies in the world, a lynchpin of digital manufacturing is not reassuring at all. Can their security really be that bad?
Yes. You would be hard pressed to find any company in the entire world that could prevent attackers with a mere $1M budget. Banks, power plants, car companys, cybersecurity companys, factorys, you name it, almost certainly less than $1M. In fact, probably under $100K, but $1M is a safe upper bound. At a $10M budget there are zero. In fact, no CISO I have ever heard from has ever said that is even possible for a perfect implementation (i.e. they have free reign to implement everything they want as long as it does not make the company non-functional, but they get to be judge, jury, and executioner in that analysis). So yeah, given “perfectly implemented” security a $70M ransom has a guaranteed 700% ROI, but in practice closer to a over 7000% ROI.
Not just their security, their backup policies too, right? Ransomware is completely powerless if you can delete and restore. You'd think investing in backup systems, policies, training, monitoring, which is best practice anyway, is cheaper than the horrible PR and costs of these ransoms.
>this incident could potentially disrupt the supply of semiconductors and impact GPU prices. The global chip shortage has already led to increased prices and limited availability of GPUs. A disruption at TSMC could exacerbate this issue, potentially leading to further price hikes in the market for GPUs.
This is a non-sequitr. Yes there was a cyberattack, but you presented no evidence as to how this could affect chip production besides giving a bunch of anecdotes to what a disruption would do. The rest of the article is informative but I just didn't understand this part.
I immediately think about what motivation China would have to do or not do something like this. As they get shut out of semiconductor technology and don’t actually have any real control over Taiwan, it seems like there is no downside other than not wanting to get caught.
I'm not sure what you mean by "in control", but they have their foot in the door of Taiwanese politics, and share a lot of common culture. They also live next door.
Ransomware groups play a game of attacking the most valuable targets they can, without attracting so much attention that three letter friends start having meetings about them.
Crypto is a necessary component. And then many ransomware implants will also refuse to run on systems with RUS locale, for instance. The understanding seems to be that groups can avoid attention of local law enforcement as long as they do not make any waves locally.
At least three of their Annual Reports indicates they knew of the risk of attack.
Has there been any Ransomware Attacks that don't involve Windows machines?
"Risks Associated with Cyber Attacks
Even though TSMC has established a comprehensive internet
and computing security network, it cannot guarantee
that the Company’s computing systems which control or
maintain vital corporate functions ,such as its manufacturing
operations and enterprise accounting, would be completely
immune to crippling cyber attacks by any third party to
gain unauthorized access to its internal network systems,
to sabotage its operations and goodwill or otherwise. In
the event of a serious cyber attack, TSMC’s systems may
lose important corporate data and its production lines
may be shutdown indefinitely pending the resolution of
such attack. While TSMC also seeks to annually review and
assess its cybersecurity policies and procedures to ensure
their adequacy and effectiveness, it cannot guarantee that
the Company will not be susceptible to new and emerging
risks and attacks in the evolving landscape of cybersecurity
threats. These cyber attacks may also attempt to steal TSMC’s
trade secrets and other intellectual properties and other
sensitive information, such as proprietary information of the
Company’s customers and other stakeholders and personal
information of the Company’s employees. Malicious hackers
may also try to introduce computer viruses, corrupted software
or ransomware into the Company’s network systems to
disrupt its operations, blackmail it for regaining control of its
computing systems or spy for sensitive information. These
attacks may result in TSMC having to pay damages for its
delayed or disrupted orders or incur significant expenses
in implementing remedial and improvement measures to
enhance the Company’s cybersecurity network, and may also
expose the Company to significant legal liabilities arising from
or related to legal proceedings or regulatory investigations
associated with, among other things, leakage of customer or
third party information which TSMC has an obligation to keep
confidential. During 2017 and as of the date of this Annual
Report, the Company had not been aware of any material
cyber attacks or incidents that had or would expected to have
a material adverse effect on its business and operations, nor
had it been involved in any legal proceedings or regulatory
investigations related thereof.
In addition, the Company employs certain third party service
providers for TSMC and its affiliates worldwide with whom
the Company needs to share highly sensitive and confidential
information to enable them to provide the relevant services.
Despite that TSMC requires the third party service providers
to comply with the confidentiality and/or Internet security
requirements in its service agreements with them, there is no
assurance that each of them will strictly fulfill such obligations,
or at all. The on-site network systems of and the off-site cloud
computing networks such as servers maintained by such
service provider and/or its contractors are also subject to risks
associated with cyber attacks. If TSMC or its service providers
are not able to timely resolve the respective technical difficulties
caused by such cyber attacks, or ensure the integrity and
availability of its data (and data belonging to its customers
and other third parties) or control of its or its service providers’
computing systems, the Company’s commitments to its
customers and other stakeholders may be materially impaired
and its results of operations, financial condition, prospects and
reputation may also be materially and adversely affected as a
result." - https://investor.tsmc.com/static/annualReports/2017/english/...
There have been ransomware attacks against vulnerable NAS devices, but yes it's mostly Windows.
The biggest reason it's mostly Windows is not just worse security posture due to complexity but also that Windows is so popular in business, causing it to be the most aggressively attacked platform.
From experience (was lead dev at company where sales let a bitlocker in and IT had mis-configured backup... which is normal for backup in most companies): It's all about what the infected machines can access. When my employer got hit, the problem was that there were many shared drives that the infected machines could access, and these were bitlockered. People would run programs off a shared drive, and get infected from that... then everything that machine had access to would get bitlockered. Backup was implemented where clients would push files to an open share and the share was backed up. The backups were bitlockered as a result. The shared drives were on a mix of linux and windows servers, and mac users that had shared folders the sales team could access had that data bitlockered. So, Windows was involved - it's how the bitlocker got in, but honestly, it was an emailed binary the salesperson ran that started the fun.
Incidentally, the dev team (mix of Windows, Linux, Mac) was completely unaffected because we did not have any open shares, remote access was done with SSH. We used a backup system that ran as a pull, where the machine being backed up could not directly access the backup store, so safe.
So yeah, Windows involved, but the damage was more about what infected machine had write access to on the network.
Wasn't really TSMC...but some info that was shared to Kinmax by TSMC. Totally different than TSMC being hacked directly...it's not like they hopped from Kinmax into TSMC's network either.
[+] [-] lkbm|2 years ago|reply
> We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.
> Our goal is to make money and not creating problems for society.
> From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.
This one isn't causing immediate disruptions to regular people in the US, but it's still geopolitical-level meddling. If you want to run around mugging people, it's best to avoid robbing the police chief's best friend.
[0] https://www.state.gov/darkside-ransomware-as-a-service-raas/
[1] https://www.theverge.com/2021/5/10/22428996/colonial-pipelin...
[+] [-] yborg|2 years ago|reply
[+] [-] pharrington|2 years ago|reply
https://www.bleepingcomputer.com/news/security/tsmc-denies-l...
[+] [-] pksebben|2 years ago|reply
[+] [-] DeathArrow|2 years ago|reply
The bit about security is ironic.
[+] [-] flakeoil|2 years ago|reply
[+] [-] ChuckNorris89|2 years ago|reply
When this is your selection bias, do the results surprise you?
[+] [-] vslira|2 years ago|reply
[+] [-] alias_neo|2 years ago|reply
Surely, given the size of the demand, it is beyond the authority of TSMC to pay up, even _if_ they wanted to?
I imagine governments and authorities with any sort of stake in what could possibly be done with such a sum of money (it's unlikely to be used for Good, right?) would have an oversized say in whether or not they are allowed to pay it?
Is there recent precedent for ransoms of this size being paid?
What kind of data could they actually have "stolen" that's worth TSMC paying up $70M, rather than just writing it off?
[+] [-] Etheryte|2 years ago|reply
[+] [-] hammock|2 years ago|reply
Think again. Companies try to hide it really well but million-dollar ransoms are paid all. The. Time.
Likewise with insurance payouts for kidnapping ransoms
[+] [-] hardware2win|2 years ago|reply
It is modern equivalent of "rocket science" decades ago
[+] [-] 55555|2 years ago|reply
[+] [-] alexk307|2 years ago|reply
[+] [-] bigbillheck|2 years ago|reply
It's not even 12 hours revenue for TSMC.
[+] [-] sct202|2 years ago|reply
https://cybernews.com/news/tsmc-data-breach-lockbit/
[+] [-] drumhead|2 years ago|reply
[+] [-] Veserv|2 years ago|reply
[+] [-] user3939382|2 years ago|reply
[+] [-] s3p|2 years ago|reply
This is a non-sequitr. Yes there was a cyberattack, but you presented no evidence as to how this could affect chip production besides giving a bunch of anecdotes to what a disruption would do. The rest of the article is informative but I just didn't understand this part.
[+] [-] ngneer|2 years ago|reply
How valuable can this be?
[+] [-] hoherd|2 years ago|reply
[+] [-] m3kw9|2 years ago|reply
[+] [-] traveler01|2 years ago|reply
[+] [-] nonethewiser|2 years ago|reply
[+] [-] _kbh_|2 years ago|reply
What remains to be seen if the response (if any) to this. You tread a fine line when you threaten the worlds chip supply.
[+] [-] pjc50|2 years ago|reply
North Korea on the other hand use ransomware as one of their main ways of getting foreign currency.
[+] [-] itsoktocry|2 years ago|reply
I'm not sure what you mean by "in control", but they have their foot in the door of Taiwanese politics, and share a lot of common culture. They also live next door.
[+] [-] fab30|2 years ago|reply
[+] [-] yafbum|2 years ago|reply
[+] [-] tux3|2 years ago|reply
Crypto is a necessary component. And then many ransomware implants will also refuse to run on systems with RUS locale, for instance. The understanding seems to be that groups can avoid attention of local law enforcement as long as they do not make any waves locally.
[+] [-] tough|2 years ago|reply
[+] [-] unknown|2 years ago|reply
[deleted]
[+] [-] fab30|2 years ago|reply
[+] [-] dirtyid|2 years ago|reply
[+] [-] mynonameaccount|2 years ago|reply
[+] [-] rpaddock|2 years ago|reply
Has there been any Ransomware Attacks that don't involve Windows machines?
"Risks Associated with Cyber Attacks
Even though TSMC has established a comprehensive internet and computing security network, it cannot guarantee that the Company’s computing systems which control or maintain vital corporate functions ,such as its manufacturing operations and enterprise accounting, would be completely immune to crippling cyber attacks by any third party to gain unauthorized access to its internal network systems, to sabotage its operations and goodwill or otherwise. In the event of a serious cyber attack, TSMC’s systems may lose important corporate data and its production lines may be shutdown indefinitely pending the resolution of such attack. While TSMC also seeks to annually review and assess its cybersecurity policies and procedures to ensure their adequacy and effectiveness, it cannot guarantee that the Company will not be susceptible to new and emerging risks and attacks in the evolving landscape of cybersecurity threats. These cyber attacks may also attempt to steal TSMC’s trade secrets and other intellectual properties and other sensitive information, such as proprietary information of the Company’s customers and other stakeholders and personal information of the Company’s employees. Malicious hackers may also try to introduce computer viruses, corrupted software or ransomware into the Company’s network systems to disrupt its operations, blackmail it for regaining control of its computing systems or spy for sensitive information. These attacks may result in TSMC having to pay damages for its delayed or disrupted orders or incur significant expenses in implementing remedial and improvement measures to enhance the Company’s cybersecurity network, and may also expose the Company to significant legal liabilities arising from or related to legal proceedings or regulatory investigations associated with, among other things, leakage of customer or third party information which TSMC has an obligation to keep confidential. During 2017 and as of the date of this Annual Report, the Company had not been aware of any material cyber attacks or incidents that had or would expected to have a material adverse effect on its business and operations, nor had it been involved in any legal proceedings or regulatory investigations related thereof.
In addition, the Company employs certain third party service providers for TSMC and its affiliates worldwide with whom the Company needs to share highly sensitive and confidential information to enable them to provide the relevant services. Despite that TSMC requires the third party service providers to comply with the confidentiality and/or Internet security requirements in its service agreements with them, there is no assurance that each of them will strictly fulfill such obligations, or at all. The on-site network systems of and the off-site cloud computing networks such as servers maintained by such service provider and/or its contractors are also subject to risks associated with cyber attacks. If TSMC or its service providers are not able to timely resolve the respective technical difficulties caused by such cyber attacks, or ensure the integrity and availability of its data (and data belonging to its customers and other third parties) or control of its or its service providers’ computing systems, the Company’s commitments to its customers and other stakeholders may be materially impaired and its results of operations, financial condition, prospects and reputation may also be materially and adversely affected as a result." - https://investor.tsmc.com/static/annualReports/2017/english/...
[+] [-] api|2 years ago|reply
The biggest reason it's mostly Windows is not just worse security posture due to complexity but also that Windows is so popular in business, causing it to be the most aggressively attacked platform.
[+] [-] mschuster91|2 years ago|reply
At least Lockbit seems to have samples floating around for macOS [1].
> At least three of their Annual Reports indicates they knew of the risk of attack.
That's a pretty standard statement these days, it's legalese to prevent shareholders suing for improper statements/risk assessment after an attack.
[1] https://t3n.de/news/macos-version-ransomware-lockbit-1547612...
[+] [-] indymike|2 years ago|reply
Incidentally, the dev team (mix of Windows, Linux, Mac) was completely unaffected because we did not have any open shares, remote access was done with SSH. We used a backup system that ran as a pull, where the machine being backed up could not directly access the backup store, so safe.
So yeah, Windows involved, but the damage was more about what infected machine had write access to on the network.
[+] [-] sybercecurity|2 years ago|reply
[+] [-] ChoGGi|2 years ago|reply
[+] [-] chasil|2 years ago|reply
It just takes one.
https://airbus-seclab.github.io/ilo/BHUSA2021-Slides-hpe_ilo...
[+] [-] j_walter|2 years ago|reply
[+] [-] varjag|2 years ago|reply
[+] [-] amelius|2 years ago|reply