A supply chain attack is the likely cause of Taiwanese giant chipmaker TSMC finding itself on the infamous ransomware group LockBit’s leak dark web site on June 29, 2023.
The accompanying $70m ransom is the fourth-largest sum demanded in ransomware history.
The day before this information appeared on the leak site, a threat actor known as Bassterlord, linked with LockBit affiliate National Hazard Agency, started live-tweeting what appeared to be a ransomware attack on TSMC, sharing screenshots with information related to the company.
TSMC has shared a statement with various press outlets admitting that one of its contractors had been breached but that the incident has not affected TSMC's business operations and has not compromised any customer information.
Meanwhile, Kinmax Technology, most likely the contractor in question but not named directly by TSMC, said that it had noticed on June 29 that its internal specific testing environment was attacked, and some information was leaked.
Kinmax said in a statement: “The leaked content mainly consisted of system installation preparation that the Company provided to our customers as default configurations. We would like to express our sincere apologies to the affected customers, as the leaked information contained their names which may have caused some inconvenience. The company has thoroughly investigated this incident and implemented enhanced security measures to prevent such incidents from occurring in the future.”
It is understood that TSMC immediately terminated its data exchange with this supplier in accordance with the company's security protocols and standard operating procedures.
LockBit’s Toolkits
LockBit is one of the most active ransomware groups and has cost US victims alone more than $90m from roughly 1700 cyber-attacks since 2020, according to a joint advisory released by nine cybersecurity agencies on June 14, 2023.
It works with affiliates that use its ransomware-as-a-service (RaaS) toolkit. The latest version of this toolkit, named LockBit 3.0 and released in July 2022, is known for its use of double extortion, which involves encrypting a victim's files and then stealing a copy of the data before demanding a ransom payment.
The cyber-attack against Kinmax was one of the first after one of LockBit’s longest inactive periods, leading some security researchers to think the gang may be working on an evolution of the current LockBit 3.0 toolkit.
TSMC produces 65% of the world’s semiconductors and 90% of the most advanced nodes. It has an estimated annual revenue of over $74bn in 2023.
Kinmax is a much smaller entity: its LinkedIn page shows it has between 201 and 500 employees.
However, Kinmax claims on its website that besides TSMC, its partners include companies such as Nvidia, HPE, Cisco, Microsoft, Citrix, and VMware. None of these companies has communicated about the incident at the time of writing.