Presented at
Black Hat USA 2020 Virtual,
Aug. 6, 2020, 2:30 p.m.
(40 minutes).
<p>This presentation provides an analysis of the advanced persistent threat (APT) attacks that have occurred during the past two years on the semiconductor industry. Our research shows that the majority of these attacks were concentrated on the Taiwan semiconductor sector. This is worthy of concern, as Taiwan's semiconductor industry plays a very crucial role in the world. Even a small disruption in the supply chain could have a serious ripple effect throughout the entire industry. Surprisingly, up until now, there has been less coverage on these attacks. In this presentation, we seek to shed light on the threat actors and campaigns of these attacks, where they are collectively referred to as Operation Chimera (a.k.a. Skeleton). Additionally, we provide a brief overview of the current information security status of Taiwan's semiconductor industry.</p><p>Between 2018 and 2019, we discovered several attacks on various semiconductor vendors located at the Hsinchu Science-based Industrial Park in Taiwan. As these attacks employed similar attack techniques and tactics, a pattern could be discerned from the malicious activities. From this pattern, we deduced that these attacks, which we dubbed Operation Chimera, were actually conducted by the same threat actor. The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips, software development kits (SDKs), IC designs, the source code, etc. If such documents are successfully stolen, the impact can be devastating. The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals. Since the similar techniques and tactics to previous attack activities, we suspect the attacker is China-based hacker group. We thus hope that this presentation will help semiconductor companies gain a better understanding of the dangers from such attacks. Additionally, as we have worked with several of the semiconductor vendors to improve their cyber security, we wish to share this valuable experience, and highlight the current challenges facing the entire industry.</p><p>In this presentation, we conduct a comprehensive analysis on the employed technologies, tactics, and customized malware of Operation Chimera. As this operation has not yet been documented, the techniques and tactics disclosed in this presentation can help blue teams design better defenses, and develop better detection and hunting methods. Below summarizes our findings of Operation Chimera.</p><ul><li>A unique account manipulation malware - SkeletonKeyInjector – was used. SkeletonKeyInjector contained code extracted from Dumpert and Mimikatz. This malware implanted a skeleton key into domain controller (DC) servers to continuously conduct lateral movement (LM). Additionally, by making direct syscalls, the malware could bypass security products based on API hooking. This malware was discovered in the two cases mentioned in this presentation.</li><li>The threat actor utilized Cobalt Strike as their main remote-access Trojan (RAT). The mutated Cobalt Strike backdoor replaced and masqueraded as Google Update to confuse users. Additionally, as most corresponding (command and control) C2s were located in the Google Cloud Platform, it made it difficult to attribute the actor. Aside from the two cases mentioned in this presentation, we also detected the presence of this malware in other semiconductor vendors.</li><li>Chimera used an old and patched version of RAR for data exfiltration. The same binary was found in the two cases mentioned in this presentation.</li></ul>
Presenters:
-
Chung-Kuan Chen
- Senior Researcher, CyCraft Technology
Chung-Kuan Chen/Bletchley is currently a Senior Researcher in CyCraft and is responsible for organizing their research team. He earned his PhD in Computer Science and Engineering from National Chiao-Tung University (NCTU). His research focuses on cyber attack and defense, machine learning, software vulnerability, malware, and program analysis. As a founder of NCTU hacker research clubs, he trains students to participate in world-class security contests, and has experience of participating in the DEF CON CTF twice. He has presented technical presentations in non-academic technical conferences, such as HITCON, RootCon, CodeBlue OpenTalk and VXCON. As an active member in the Taiwan security community, he is on the review committee of HITCON conference, and ex-chief of CHROOT - the top private hacker group in Taiwan. He organized BambooFox Team to join some bug bounty projects and discover some CVEs in COTS software and several vulnerabilities in campus websites.
-
Inndy Lin
- Cyber Security Researcher, CyCraft Technology
Inndy Lin is a Cyber Security Researcher at CyCarrier mainly focusing on malware reversing and supporting advanced Windows research. He loves exploring cyber security technologies and open source culture.
-
Shang-De Jiang
- Cyber Security Researcher, CyCraft Technology
John Jiang is a researcher on the Research Team at CyCarrier. Currently, he focuses on research about Incident Response and Endpoint Security.
Links:
Similar Presentations: