Black Hat: Hackers are using skeleton keys to target chip vendors

Operation Chimera focuses on the theft of valuable intellectual property and semiconductor designs.
Written by Charlie Osborne, Contributing Writer

Targeted attacks against semiconductor companies in Taiwan may not be well-known, but this does not mean the ripple effect of a successful hack would not be felt worldwide. 

Over the past decade, Taiwan has slowly established itself as a hotbed for chip companies in both development and production. Taiwan Semiconductor Manufacturing Company (TSMC) is a major player in the field and over time, the market value of the overall semiconductor and equipment manufacturing sector in the country has increased.

The technology industry is a top target for advanced persistent threat (APT) groups, given the often-lucrative and valuable intellectual property -- as well as customer data -- that companies in the sector guard. 

At Black Hat USA on Thursday, CyCraft Technology researchers Chung-Kuan Chen and Inndy Lin described a set of attacks believed to have been conducted by the same Chinese APT group in the quest for semiconductor designs, source code, software development kits (SDKs), and other proprietary information. 

"If such documents are successfully stolen, the impact can be devastating," the researchers said. "The motive behind these attacks likely stems from competitors or even countries seeking to gain a competitive advantage over rivals."

According to the team, attacks have been launched on numerous semiconductor vendors located at the Hsinchu Science Industrial Park in Taiwan. To date, it is thought at least seven vendors -- as well as their subsidiaries -- have been attacked by the same APT group in what the team calls "precise and well-coordinated attacks."

See also: Cybersecurity 101: Protect your privacy from hackers, spies, and the government

Dubbed Operation Chimera, also known as Skeleton, the APT launched a series of attacks throughout 2018 and 2019 with a variety of tools, including Cobalt Strike -- a legitimate penetration testing tool that threat actors are known to abuse -- and a custom skeleton key derived from code ripped from both Dumpert and Mimikatz.

In two case studies described in CyCraft's whitepaper (.PDF), a variety of endpoints and user accounts were found to be compromised at the time malware infections were detected. 

Initial access came from a valid, corporate ID -- potentially stolen in a separate data breach -- and a virtual private network (VPN) connection in the first case.

"Many enterprises often neglect this attack vector, by default trusting VPN connections and welcoming them into their intranet; and Chimera is one of the most skilled threat actors that we have seen at abusing VPN policies," the researchers added.

In the following stage of the attack chain, a remote desktop protocol (RDP) was used to gain access to company servers. 

During the second Chimera attack, abnormalities were discovered during a network upgrade in which the malware payload was directly injected into system memory, made possible through encoded PowerShell scripts. 

Once loaded into a compromised network, an adapted version of Cobalt Strike masqueraded as a Google Update function (GoogleUpdate.exe), while actually establishing backdoor beacons and persistence mechanisms. 

To exfiltrate data from an infected machine, Chimera makes use of an old version of RAR, a legitimate archive program, which has also been tampered with for malicious purposes. The customized tool, dubbed ChimeRAR, archives data harvested from a network and transfers it to a command-and-control (C2) server controlled by the cyberattackers. 

To further mask its activity, the threat group also hosted multiple C2s in the Google Cloud platform and through Microsoft Azure, as well as via other public cloud services. 

CNET: The best home security camera of 2020

The skeleton key, however, is perhaps the most interesting weapon in Chimera's arsenal. Dell Secureworks' Counter Threat Unit first documented the use of a skeleton key able to bypass authentication checks on Active Directory (AD) servers back in 2015, giving cybercriminals unfettered access to remote access services. 

Chimera's tool, named "SkeletonKeyInjector," is designed to be implanted into AD and domain controller (DC) servers, allowing the cyberattackers to move laterally across a network and to make direct syscalls, thereby circumventing existing security software. 

Code snippets taken from Mimikatz and Dumpert give the malware the capability to bypass API monitoring, a common defense mechanism used by today's antivirus and endpoint protection solutions. 

TechRepublic: Security analysts: Industry has not solved the talent gap or provided clear career paths

"The malware altered the New Technology LAN Manager (NTLM) authentication program and implanted a skeleton key to allow the attackers to log in without the need of valid credential[s]," the researchers said. "Once the code in memory was altered, the attackers could still gain access to compromised machines even after resetting passwords."

The team adds that as AD machines rarely receive a reboot, this could mean skeleton keys could go undetected for long periods, and also facilitate the threat actors' wishes to move laterally across networks without detection. In one of the firm's case studies, the APT group was present for roughly a year before being removed from the compromised network. 

"Based on the stolen data, we infer that the actor's goal was to harvest company trade secrets," CyCraft says. "The motive may be related to business competition or a country's industrial strategy."

ZDNet has reached out to the researchers with additional queries and will update when we hear back. 

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards