Top 5 This Week

Related Posts

Cyber Espionage at NXP: Uncovering the Prolonged Intrusion by Chimera Hackers

Getting your Trinity Audio player ready...

Cyber Espionage at NXP: Uncovering the Prolonged Intrusion by Chimera Hackers

A hacker group with ties to China had undetected access to the network of Dutch chip manufacturer NXP for over two years. This group, identified as Chimera, stole mailboxes and specifically targeted chip designs, according to an investigation by NRC. Their entry was unnoticed and alarmingly quiet.

Cyber Cogeanu Nvidia GPU RTX 5k - NXP Cybersecurity Breach
Cyber Cogeanu Nvidia GPU RTX 5k – NXP Cybersecurity Breach

Intrusion Details

The Chinese hacker group, Chimera, the NXP Cybersecurity Breach was done through employee accounts. Once inside the company network, they navigated their way to secure servers, searching for chip designs and other confidential company information. They had ample time for this espionage, having access to the computer systems of NXP from late 2017 to spring 2020, as revealed by NRC’s investigation.


Cyber Cogeanu: An employee is changing clothes in NXP's Nijmegen factory. Cyber ​​spies were in the chip maker's systems for more than two years.Photo Remko de Waal
Cyber Cogeanu: An employee is changing clothes in NXP’s Nijmegen factory. Cyber ​​spies were in the chip maker’s systems for more than two years. Photo Remko de Waal


NXP’s Role in Technology

NXP, emerging from Philips, is pivotal in developing secure Mifare chips for public transport and access passes, and supplies secure elements for chips in iPhones, enabling contactless payments through Apple Pay. This was highlighted during Apple CEO Tim Cook’s visit to Eindhoven two months prior, cementing the collaboration.


Cyber Cogeanu: NXP develops, among other things, the secure Mifare chips for the public transport chip card.Photo Remko van der Waal
Cyber Cogeanu: NXP develops, among other things, the secure Mifare chips for the public transport chip card.
Photo Remko van der Waal

Despite NXP’s expertise in security, it was unaware of the breach until early 2020. The cyber spies within the NXP Cybersecurity Breach initially used regularemployee accounts to access the network, exploiting data from previous leaks on services like LinkedIn or Facebook. By guessing passwords through brute force, they gained entry into the VPN network. NXP’s MFA, secured through phone codes, was circumvented by the hackers altering phone numbers.

Privilege Escalation and Erasing Tracks

Once established on a first computer – patient zero – the spies gradually expanded their access rights, intermittently erasing their tracks and stealthily advancing to protected network areas. They attempted to secretly transfer sensitive data found there in encrypted files through cloud storage services like Microsoft OneDrive. According to Fox-IT‘s log files, the hackers regularly checked for new data at NXP and worked on hacking more user accounts and network parts.

The Transavia Tip-Off

The breach at NXP came to light only after the hacking of Dutch airline Transavia. On a Saturday morning in September 2019, the hackers accessed Transavia’s reservation systems. By October, Transavia suspected foul play and reported to the Dutch Data Protection Authority. A deep dive into the hack by Fox-IT revealed that data from 83,000 passengers, including addresses and phone numbers, had been stolen. The AP imposed a fine of 400,000 euros on Transavia for inadequate data security.

Fox-IT’s investigation into Transavia provided a crucial clue: network data indicated connections to IP addresses in Eindhoven, home to NXP’s headquarters. Upon learning this in January 2020, NXP enlisted Fox-IT’s help.


Cyber Cogeanu: NXP supplies the 'secure elements' for chips in the iPhone, for contactless payments via Apple Pay.Photo Remko van der Waal
Cyber Cogeanu: NXP supplies the ‘secure elements’ for chips in the iPhone, for contactless payments via Apple Pay.
Photo Remko van der Waal

Corporate Obligations and Omissions

Only a select group at NXP’s Eindhoven headquarters was aware of the gravity of the situation. As a publicly traded company, NXP was obligated to inform investors about such risks, especially being listed on the Nasdaq. The 2019 annual report, signed by Peter Kelly, chairman of the supervisory board, and CEO Rick Clemmer, included the cyber burglary but did not disclose the full extent or duration of the hackers’ presence.

With assistance from Microsoft Security Services for Incident Response and investigative services, NXP worked to assess the damage, isolate the perpetrators, and sever their access to the IT systems. This was crucial to prevent further damage in case the spies made a rash move. Fox-IT continued this effort until April 2020. NXP also alerted suppliers like ASML in Veldhoven about the incident.

The Hackers’ Techniques and Motivations

The hackers’ method involved compressing, encrypting, and preparing large data files, like mailboxes or network drives containing confidential information, to be copied via cloud services such as Google Drive and Dropbox. This discreet operation was aptly titled in Fox-IT’s blog: “Abusing cloud services to fly under the radar.”

Fox-IT concluded that the same perpetrator group was likely behind similar intrusions into at least seven Taiwanese chip manufacturers in 2018 and 2019. Comparing Dutch and Taiwanese security data in 2021, they found significant similarities in attack techniques, enough to attribute them to Chimera.

China’s Ambitions and Espionage

China, the world’s largest chip importer, is striving to reduce reliance on Western manufacturers. While the US implements export restrictions to hinder China’s technological progress, the Chinese government invests heavily in building chip factories and encourages engineers at Western tech companies to bring their expertise back home. Hacker groups like Chimera aim to steal high-tech knowledge to aid these efforts.

Defending Against State-Actor Attacks

Defending against coordinated attacks by state actors is a formidable challenge, as even the advanced Taiwanese tech sector has learned. In such cases, rapid detection of breaches is crucial. Post-2020, NXP has tightened network monitoring and restricted data download and copying abilities for employees.

Known in the security world as ‘G0114‘, the Chimera hackers remain a known threat. The high-tech sector, including NXP, continues to be targeted by various APT groups using similar tools. The longevity of their presence in a network without detection is a significant concern.

In September 2023, NXP disclosed a data breach involving its website visitor database, a separate incident from the internal systems compromise. This breach occurred on July 11 and was promptly addressed within three days, demonstrating NXP’s enhanced responsiveness and vigilance in cybersecurity.

Cogeanu Marius
Cogeanu Marius
Marius Cogeanu is a distinguished IT consultant and cybersecurity virtuoso based in Prague, Czechia. With a rich 20-year journey in the IT realm, Marius has carved a niche in network security and technological solutions, adeptly harmonizing tech with business requirements. His experience spans from Kyndryl to IBM, and as a valued independent consultant, where he's renowned for his innovative approaches in enhancing business operations with cutting-edge tech.Marius's forte lies in demystifying complex IT concepts, ensuring clarity and alignment for stakeholders at all levels. His commitment to staying at the forefront of industry trends and seeking innovative solutions cements his status as a go-to expert in cybersecurity. Driven by a fervent passion for technology and its potential to revolutionize businesses, Marius thrives on tackling challenging ventures, applying his prowess in network design, IT service management, and strategic planning.Currently, Marius is focused on leading-edge IT project management, infrastructure design, and fortifying cybersecurity, guiding clients through the intricate digital landscape with unmatched expertise and insight.Discover more on


Please enter your comment!
Please enter your name here

Popular Articles