Cyber Incident Victim: Kinmax Technology

On or around June 29, 2023, Taiwan Semiconductor Manufacturing Company (TSMC), the world's largest contract chipmaker, was listed as a victim on the dark web leak site operated by the LockBit ransomware gang. The Russia-linked cybercrime group publicly threatened to publish data stolen from TSMC unless the company paid a $70 million ransom demand. This demand was characterized by a cyber threat intelligence researcher as one of the largest known in history. The gang's post included additional threats to publish network entry points along with passwords and logins if the ransom was not paid. LockBit did not provide any evidence to substantiate its claims of having successfully exfiltrated data from TSMC.

TSMC subsequently confirmed it had experienced a data breach, but clarified that the incident did not originate within its own systems. Instead, the company attributed the compromise to a cybersecurity incident at one of its IT hardware suppliers, identified as Kinmax Technology. According to a statement from a TSMC spokesperson, the breach at the supplier led to the leak of information related to server initial setup and configuration. TSMC stated that its review of the incident concluded that it had not affected TSMC’s business operations, nor had it compromised any TSMC customer information.

Kinmax Technology, an IT services and consulting organization specializing in networking, cloud computing, storage, security, and database management, provided its own account of the incident. In a notice shared by TSMC, Kinmax reported that on the morning of June 29, 2023, it discovered an attack on its internal specific testing environment, which resulted in the leakage of some information. The company stated the leaked content mainly consisted of system installation preparation materials that it provided to its customers as default configurations. This description aligned with TSMC's confirmation that the data pertained to server setup and configuration.

In its response to the incident, TSMC took immediate action by terminating its data exchange with Kinmax Technology. This action was executed in accordance with the company’s established security protocols and standard operating procedures. The swift termination of the data-sharing relationship was a containment measure aimed at preventing any further potential data exposure stemming from the supplier's compromised systems. Kinmax Technology expressed sincere apologies to its affected customers, indicating that TSMC was not the only partner impacted by the security breach. Eric Huang, vice president of Kinmax Technology, declined to specify the total number of customers affected by the incident.

The scope of the incident extended beyond TSMC due to Kinmax Technology's role as a supplier to multiple major technology firms. Kinmax's website listed partners including Nvidia, HPE, Cisco, Microsoft, Citrix, and VMware. Nvidia declined to comment on the situation when contacted, and the remaining organizations had not responded to inquiries at the time of reporting. It remained publicly unknown whether these other Kinmax partners were also impacted by the same breach. The data involved was described as configuration information pertinent to the initial setup of servers, rather than sensitive operational or customer data belonging to TSMC itself.

This incident occurred within a specific context of law enforcement activity targeting the LockBit group. Just weeks prior to the attack on Kinmax Technology, the U.S. Justice Department announced the arrest and charging of a Russian national for his alleged role in multiple LockBit ransomware attacks against victims in the U.S. and around the world. Notably, on the very same day that arrest was announced, LockBit claimed responsibility for a separate ransomware attack on Indian pharmaceutical giant Granules India, demonstrating the group's continued and aggressive operations despite law enforcement attention. The breach of a supplier to a critical global semiconductor manufacturer highlighted a continued trend of cybercriminals targeting software supply chains and third-party vendors as a method to gain indirect access to larger, more secure organizations. The primary consequence for TSMC was the confirmed leakage of technical configuration data, while its core business operations and customer relationships were reported to be unaffected. The full impact on other Kinmax customers and the final outcome of the LockBit ransom demands against TSMC were not detailed in the available information.