The Dutch press reports that the Chinese-nexus hacker group Chimera successfully infiltrated the network of the prominent Dutch semiconductor company NXP, maintaining access for over two years from late 2017 to early 2020 without being detected. This intrusion resulted in the theft of intellectual property, particularly chip designs. The Chimera group's signature tool, ChimeRAR, were reportedly found during the investigation.
The attackers achieved initial intrusion by conducting reconnaissance of compromised user accounts at NXP. Chimera identified compromised user account credentials leaked from external resources, including LinkedIn and Facebook. Chimera hackers subsequently brute forced the accounts, or expanded reconnaissance via fuzzing phone numbers used for multi-factor authentication until they successfully breached user accounts. Once on the network, the intruders used encrypted files uploaded to cloud storage services like Microsoft's OneDrive, Dropbox, and Google Drive to exfiltrate NXP's proprietary files.
As mentioned, the attackers maintained a stealthy foothold for two years, and the compromise was only discovered in 2023 in the context of a broader investigation regarding a similar event impacting Transavia, a subsidiary of the Dutch flagship airline KLM.
Semiconductors are critical to the chip industry, which powers any device used in computing and communication for civil and military purposes. The NXP hack may be part of the "chip war" between China on one side, and the United States and the European Union on the other, which, since March 2023, has become "declared," with the Netherlands restricting exports of semiconductors.
Recent relevant events in the industry include a ransomware compromise. On 17 November, it became known that a South Korea-based semiconductor manufacturer was impacted by a ransomware event, likely unrelated to espionage operations. However, that linkage, while to be verified, is potentially significant. The ransomware attack was claimed by the Qilin (a.k.a. Agenda / AgendaCrypt) group.
The entry point leveraged by Chimera also requires additional consideration. While organizations can put in place reasonable efforts to enhance their security posture, user behavior at work and online—potentially, even outside work—may lead to vulnerabilities that attackers may be able to exploit with nefarious consequences.