Date: 29/11/2023
Where: Netherlands
Who’s involved:
NXP, Chimera Group (threat actor)
What happened?
The details of a substantial cybersecurity incident were revealed to Dutch press on 24/11/2023 involving Eindhoven-based microchip designer and manufacturer, NXP.
The company was infiltrated by Chinese hackers from a group known as 'Chimera', likely giving the group access to sensitive information for nearly three years.
NXP only became aware of the incident when KLM Airlines subsidiary, Transavia, uncovered the group’s activities in one of their investigations.
The investigation confirmed that Chimera had access to NXP’s system from at least the end of 2017 to spring 2020.
Hackers targeted chip designs and company secrets, stealing email boxes and sensitive data. The attackers gained access through employee accounts using credentials leaked on the darkweb, mixed with the use of brute force tools and publicly available information.
Along with NXP, at least seven Taiwanese chip companies and the airline Transavia were also affected.
Despite NXP's efforts to enhance security, the company suffered another data breach in 2023, showing ongoing vulnerability to cyber attacks.
Analysis:
The Chimera Group, previously thought only active since 2018, is a suspected China-based threat actor primarily targeting the semiconductor industry, though this incident shows that they have also targeted airlines, with potential other campaigns yet to be revealed.
The hackers worked with stolen account information from previous data breaches and scraping publicly available data from Facebook and LinkedIn.
According to the AIVD, the attack is indicative of a large-scale, well-coordinated campaign. This is consistent with an advanced persistent threat (APT), and possibly a state-supported threat actor.
Details are still unknown about exactly what the impact of the breach will be. Some of the information leaked could have included personal information of clients and employees, lending itself to further attacks.
Further attacks did come in another incident that occurred in July of 2023, and was reported on 5/9/2023. More data was stolen that included customers' names, email addresses, phone numbers, and other personal details. The specifics of the compromised data were not fully detailed in the public reports, and no threat actor identified.
Conclusion
While NXP insists that these breaches were minor, the delays in detection, reporting, and inability to publish details of the impact are troubling. The effectiveness of Chimera Group represents a significant and ongoing challenge in the realm of global cyber security, as few threat actors have been so hyper-focused on an industry that is so important to both consumer and defense sectors. The ability to remain undetected for extended periods while accessing sensitive information, including chip designs and corporate secrets is potentially devastating.
The incident, being so largely shaped by information shared by Transavia, demonstrates the need for additional transparency between not only individual corporate entities, but industries.
One can anticipate that there will be a broader impact on the semiconductor and airline industries as more information is made public and the scope of the campaign is uncovered. This series of incidents serves as a stark reminder of the critical need for robust cybersecurity strategies and the constant vigilance required to counter such advanced and persistent threats.