Cyber Incident Victim: Taiwan Semiconductor Manufacturing Company
Date:
Jun 2023
Location:
Taiwan
Summary
A Russian-speaking cybercriminal group using LockBit ransomware breached a hardware supplier for TSMC, stealing data and demanding a $70 million ransom. The incident involved the theft of system configuration data from the supplier's testing environment, but it did not impact the semiconductor giant's business operations or compromise any customer data. TSMC terminated data exchange with the supplier following the security protocols enacted after the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 7 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around June 1, 2023, Taiwanese semiconductor manufacturing company TSMC confirmed that one of its hardware suppliers, Kinmax Technology, had experienced a data breach. The confirmation was issued following public claims made by a Russian-speaking cybercriminal group, which had posted TSMC as a victim on its data leak site the previous day, Thursday, May 31. The group responsible for the attack and the claims was identified as LockBit, a prolific ransomware operation. The attackers demanded an extraordinary $70 million ransom from TSMC in exchange for not publishing the stolen data.
TSMC’s investigation, conducted in coordination with its supplier, determined that the incident was a breach of Kinmax’s systems and not a direct intrusion into TSMC’s own infrastructure. The compromised data originated from Kinmax’s internal testing environment, which is used to prepare the technology and configurations it delivers to its customers. According to a joint statement from Kinmax distributed by TSMC, the leaked content mainly consisted of system installation preparation materials provided to customers as default configurations. This included data that may have contained customer names, though the specific number or identities of these customers was not disclosed.
In its official statements, TSMC was quick to assure its investors and the public that the incident had no impact on its business operations. The company stated that no TSMC customer data was compromised as a result of the breach at its supplier. To contain the incident and prevent any potential further data exposure, TSMC immediately terminated its data exchange with Kinmax in accordance with the company’s established security protocols and standard operating procedures. This action severed the digital connection between the two companies to isolate the threat.
Kinmax issued an apology to its customers whose information may have appeared in the data set that was accessed and stolen by the attackers. Representatives from both TSMC and Kinmax did not respond to inquiries regarding whether any ransom would be paid to the LockBit group, and there were no public indications that either company had any plans to meet the hackers' financial demands. Industry analysts noted that ransomware groups frequently exaggerate the value of the data they exfiltrate and make outlandish ransom demands that are rarely met by their targets.
The LockBit group is known for its ransomware-as-a-service operation and was identified by US cybersecurity officials as the most deployed ransomware variant in the world during 2022. Security experts familiar with the group's tactics indicated that if a ransom was not paid, the hackers would likely follow through on their threat to publish the stolen data on their leak site or sell it to other malicious actors. The targeting of a key supplier to a major semiconductor firm highlighted ongoing concerns regarding the security of complex global supply chains, particularly within critical industries.
The incident drew attention due to TSMC’s position as one of the world’s largest contract chipmakers and a critical supplier to major technology firms, including Apple. Taiwan’s semiconductor industry is a vital component of the global hardware supply chain, making any cyber intrusions targeting it a significant concern for international government officials and business executives. While this specific event was assessed as not being impactful on production or customer security, it underscored the persistent threat landscape facing high-value manufacturing sectors.
This event also occurred within a broader context of efforts to fortify Taiwan's infrastructure against cyber threats. For years, American officials and Taiwanese cybersecurity experts have collaborated on initiatives to strengthen the island's defenses in the face of persistent hacking campaigns. The incident was compared to a separate, more disruptive ransomware attack in 2020 against Taiwan’s state-run energy company, which had temporarily impaired some customers' ability to pay for gasoline using company-issued cards, demonstrating a range of potential consequences from such attacks. The response to the Kinmax breach focused on swift containment and public assurance, prioritizing the maintenance of operational continuity and stakeholder confidence.