Getting your Trinity Audio player ready... |
Cyber Espionage at NXP: Uncovering the Prolonged Intrusion by Chimera Hackers
A hacker group with ties to China had undetected access to the network of Dutch chip manufacturer NXP for over two years. This group, identified as Chimera, stole mailboxes and specifically targeted chip designs, according to an investigation by NRC. Their entry was unnoticed and alarmingly quiet.
![Cyber Cogeanu Nvidia GPU RTX 5k - NXP Cybersecurity Breach](https://cogeanu.com/wp-content/uploads/2023/12/nvidia_gpu_rtx5k-300x169.jpg)
Intrusion Details
The Chinese hacker group, Chimera, the NXP Cybersecurity Breach was done through employee accounts. Once inside the company network, they navigated their way to secure servers, searching for chip designs and other confidential company information. They had ample time for this espionage, having access to the computer systems of NXP from late 2017 to spring 2020, as revealed by NRC’s investigation.
![Cyber Cogeanu: An employee is changing clothes in NXP's Nijmegen factory. Cyber spies were in the chip maker's systems for more than two years.Photo Remko de Waal](https://cogeanu.com/wp-content/uploads/2023/12/lab-300x169.jpg)
NXP’s Role in Technology
NXP, emerging from Philips, is pivotal in developing secure Mifare chips for public transport and access passes, and supplies secure elements for chips in iPhones, enabling contactless payments through Apple Pay. This was highlighted during Apple CEO Tim Cook’s visit to Eindhoven two months prior, cementing the collaboration.
![Cyber Cogeanu: NXP develops, among other things, the secure Mifare chips for the public transport chip card.Photo Remko van der Waal](https://cogeanu.com/wp-content/uploads/2023/12/development-300x169.jpg)
Photo Remko van der Waal
Despite NXP’s expertise in security, it was unaware of the breach until early 2020. The cyber spies within the NXP Cybersecurity Breach initially used regularemployee accounts to access the network, exploiting data from previous leaks on services like LinkedIn or Facebook. By guessing passwords through brute force, they gained entry into the VPN network. NXP’s MFA, secured through phone codes, was circumvented by the hackers altering phone numbers.
Privilege Escalation and Erasing Tracks
Once established on a first computer – patient zero – the spies gradually expanded their access rights, intermittently erasing their tracks and stealthily advancing to protected network areas. They attempted to secretly transfer sensitive data found there in encrypted files through cloud storage services like Microsoft OneDrive. According to Fox-IT‘s log files, the hackers regularly checked for new data at NXP and worked on hacking more user accounts and network parts.
The Transavia Tip-Off
The breach at NXP came to light only after the hacking of Dutch airline Transavia. On a Saturday morning in September 2019, the hackers accessed Transavia’s reservation systems. By October, Transavia suspected foul play and reported to the Dutch Data Protection Authority. A deep dive into the hack by Fox-IT revealed that data from 83,000 passengers, including addresses and phone numbers, had been stolen. The AP imposed a fine of 400,000 euros on Transavia for inadequate data security.
Fox-IT’s investigation into Transavia provided a crucial clue: network data indicated connections to IP addresses in Eindhoven, home to NXP’s headquarters. Upon learning this in January 2020, NXP enlisted Fox-IT’s help.
![Cyber Cogeanu: NXP supplies the 'secure elements' for chips in the iPhone, for contactless payments via Apple Pay.Photo Remko van der Waal](https://cogeanu.com/wp-content/uploads/2023/12/iphone_dev-300x169.jpg)
Photo Remko van der Waal
Corporate Obligations and Omissions
Only a select group at NXP’s Eindhoven headquarters was aware of the gravity of the situation. As a publicly traded company, NXP was obligated to inform investors about such risks, especially being listed on the Nasdaq. The 2019 annual report, signed by Peter Kelly, chairman of the supervisory board, and CEO Rick Clemmer, included the cyber burglary but did not disclose the full extent or duration of the hackers’ presence.
With assistance from Microsoft Security Services for Incident Response and investigative services, NXP worked to assess the damage, isolate the perpetrators, and sever their access to the IT systems. This was crucial to prevent further damage in case the spies made a rash move. Fox-IT continued this effort until April 2020. NXP also alerted suppliers like ASML in Veldhoven about the incident.
The Hackers’ Techniques and Motivations
The hackers’ method involved compressing, encrypting, and preparing large data files, like mailboxes or network drives containing confidential information, to be copied via cloud services such as Google Drive and Dropbox. This discreet operation was aptly titled in Fox-IT’s blog: “Abusing cloud services to fly under the radar.”
Fox-IT concluded that the same perpetrator group was likely behind similar intrusions into at least seven Taiwanese chip manufacturers in 2018 and 2019. Comparing Dutch and Taiwanese security data in 2021, they found significant similarities in attack techniques, enough to attribute them to Chimera.
China’s Ambitions and Espionage
China, the world’s largest chip importer, is striving to reduce reliance on Western manufacturers. While the US implements export restrictions to hinder China’s technological progress, the Chinese government invests heavily in building chip factories and encourages engineers at Western tech companies to bring their expertise back home. Hacker groups like Chimera aim to steal high-tech knowledge to aid these efforts.
Defending Against State-Actor Attacks
Defending against coordinated attacks by state actors is a formidable challenge, as even the advanced Taiwanese tech sector has learned. In such cases, rapid detection of breaches is crucial. Post-2020, NXP has tightened network monitoring and restricted data download and copying abilities for employees.
Known in the security world as ‘G0114‘, the Chimera hackers remain a known threat. The high-tech sector, including NXP, continues to be targeted by various APT groups using similar tools. The longevity of their presence in a network without detection is a significant concern.
In September 2023, NXP disclosed a data breach involving its website visitor database, a separate incident from the internal systems compromise. This breach occurred on July 11 and was promptly addressed within three days, demonstrating NXP’s enhanced responsiveness and vigilance in cybersecurity.