LockBit Attack on Semiconductor Foundry Supplier Underscores Importance of SEMI E187 Deployment

Background

According to a report by Cybernews on June 30th, the world’s leading semiconductor manufacturing giant, Taiwan Semiconductor Manufacturing Company (TSMC), has appeared on the list of the dark web blog LockBit, with the hacker group demanding a ransom of $70 million for stolen data. However, further investigation revealed that it was actually a supplier of TSMC that had experienced a cybersecurity incident, resulting in the leakage of data related to initial server settings and configurations.

In response, TSMC clarified that all hardware devices entering the company, including their security settings, must undergo corresponding adjustments through the company’s comprehensive procedures after entering the factory, including security configurations. After a review, TSMC confirmed that this incident did not affect its business operations, and no customer data had been leaked.

After the incident, TSMC, in accordance with the company’s cybersecurity agreement and standard operating procedures, immediately terminated data exchanges with the affected supplier. The attacked supplier is known to be Kinmax Technology of Taiwan, a company providing IT and SI system consulting and integration services. Kinmax Technology also publicly confirmed this cybersecurity incident on its official website.

Threat Actor: LockBit3.0

The LockBit threat actors initially made their presence known on Russian cybercrime forums in January 2020, and by June 2021, they had launched LockBit RaaS 2.0. From July 2022 onward, LockBit 3.0, also referred to as LockBit Black, has become one of the most infamous global ransomware threats. Industries worldwide have felt the effects of LockBit 3.0, and many semiconductor companies in Taiwan have fallen victim to its ransom demands. According to a study, since 2022, these threat actors have claimed to have compromised over 500 organizations globally, spanning various sectors and critical infrastructure, such as healthcare and education, with the LockBit 3.0 BLACK variant being the most closely watched ransomware variant.

LockBit 3.0 not only continues to operate its RaaS (Ransomware as a Service) platform, but has also progressively enhanced its encryption capabilities through various techniques, particularly those focusing on anti-analysis. Like Egregor and BlackCat, this ransomware requires a password to decrypt the original text portion. Due to code similarities, many researchers infer that most techniques used by LockBit 3.0 originated from BlackMatter/Darkside. In January 2023, another variant of Lockbit ransomware, Lockbit 3.0, emerged, known as LockBit GREEN. Researchers found significant similarities between the source code of the LockBit GREEN variant and the Conti ransomware. The threat research team at TXOne Network recently conducted an in-depth analysis of LockBit 3.0’s tactics, techniques, and procedures (TTP).

The Importance of Cybersecurity for the Supply Chain

Over the past six months of 2023, there has been a significant rise in the number of supply chain attacks, with major cybersecurity incidents involving companies such as Applied Materials, 3CX, and MOVEit. Threat actors are exploiting the intricate networks between organizations, their equipment suppliers, parts/material suppliers, and third-party service providers. They attack the weakest links in the supply chain, taking full advantage of the interconnectedness of digital supply chains. Even organizations with comprehensive defenses are highly susceptible to supply chain attacks.

Furthermore, digital product cybersecurity is paramount for managing supply chain risks. Many attackers focus on the software systems of suppliers to target organizations, demonstrating that managing supply chain risks goes beyond cybersecurity governance; it also requires safeguarding the cybersecurity of digital products. This reflects the significance of the U.S. IoT Cybersecurity Act of 2020, the EU’s Cyber Resilience Act, and the UK’s PSTI Act. Digital products must emphasize security and vulnerability handling processes by default to prevent end users from being infiltrated.

Production environment equipment has become a primary target for hackers, especially in the semiconductor manufacturing industry.  From our observations of recent supply chain incidents, hackers mainly target customer equipment data, including customer information, process equipment data, and intellectual property rights. It is clear that any supply chain incident could severely impact a company’s ability to compete in the market.

Enhancing Semiconductor Supply Chain Security: Implementing the SEMI E187 Cybersecurity Standard

Indeed, to enhance the security of the semiconductor industry’s supply chain, SEMI is actively assisting the industry in establishing cybersecurity standards. These Standards such as SEMI E187 cover a range of cybersecurity measures throughout the asset lifecycle, including development, delivery, installation, production, and maintenance. This standard is a crucial reference for semiconductor manufacturers in production line defense. We have previously published an in-depth interpretation of semiconductor cybersecurity standards in “SEMI E187 Compliance Reference Guide – The Asset Security Life Cycle”. Meanwhile, TXOne Networks is continually and proactively participating in the formulation of best practice guidelines relevant to the semiconductor industry.

1. Phase of Equipment Development and Design

SEMI E187 is designed to establish a common and minimum set of cybersecurity requirements to ensure the security of semiconductor fab equipment by design, as well as during operation and maintenance. The standard concentrates on several requirements of fab equipment, as discussed below:

• Using an operating system that is not end-of-life.
• Documentation on how to perform security updates to address future vulnerabilities provided by equipment vendors.
• Support of secure-by-default configurations for device networking, such as network isolation, secure network configuration methods, secure network protocols, and more.
• Allowing the preloading of antivirus software on the device to maintain its integrity.
• Scanning for malicious software before the device leaves the factory.
• Performing vulnerability scans before the device is shipped to ensure that delivered products are free of known exploitable vulnerabilities.
• Use of tools like authentication and identity management to prevent unauthorized access.
• Utilizing the principle of least privilege.
• Support of the recording or monitoring of relevant security-related information.

2. Phase of Equipment Introduction into the Factory

Before delivering the assets to the wafer fab, malicious software and vulnerability scanning on the suppliers’ equipment should be carried out. Each asset should have a detailed asset inventory created to demonstrate that the equipment doesn’t have any malicious software, high-risk vulnerabilities, or unnecessary network services enabled. Actions that should be taken include:

• Executing malware scanning thoroughly.
• Ensuring the scanning engine and virus database are the most current versions.
• Verifying the basic information of the device under test.
• Setting the scanning engine to scan all types of files and system storage spaces.
• Making sure the scanning engine checks each computational device and its storage space inside the machine equipment.
• Recording the start and finish times of the scan, and ensuring the most recent virus codes were used during the scan.
• Clearly recording the scan status and notifications, including: undetected, cleared, or quarantined malicious software, etc.
• Performing Vulnerability Scanning to confirm that there are no high-risk vulnerabilities.
• Conducting operating system checking to verify there are no obsolete versions installed or unnecessary software installed.
• Performing Network Service Hardening to determine whether services that shouldn’t be enabled are running.

3. Phase of Equipment Security Configuration

During the configuration phase, operational operators in the factory will implement their own security configurations to reduce the attack surface. This includes applications, user permissions, user accounts, network services, network ports, and other unnecessary system features, thereby reducing the chance of attackers gaining access to the computers executing critical tasks. We can achieve the objective in different ways, including but not limited to the following examples:

• Enhancing system immunity with malware protection.
• Deleting all surplus services and software.
• Disabling high-risk network protocols and unnecessary network ports.
• Controlling and limiting user permissions and access.
• Disabling USB ports at startup.

4. Phase of Production Line Operation Network Protection

Factory managers must be prepared to combat various threats over the network that hackers are eager to exploit. The key to network segregation lies in defining necessary or unnecessary communication based on asset attributes and segmenting the organization’s OT network into more defendable zones. For example: defining executable commands based on trustworthy industrial communication protocols, or determining which assets can communicate with each other based on specific IP policies. This strengthens the factory network’s access control, enhances packet analysis, and makes it more difficult for hackers to gather information or move within the factory network. Factory managers can achieve dynamic network isolation through Next-Generation IPS and firewall devices using the following methods:

• Only allowing necessary legal network services to pass.
• Only allowing legal, secure, or user-authorized file sharing to pass.
• Preventing unauthorized external network access behaviors.
• Preventing unauthorized devices from connecting to the factory network.
• Proper internal network micro-segmentation, isolation of production lines, and moving related service hosts to secure network segments.
• Supporting deep packet inspection technology, coupled with the latest industrial threat intelligence, to prevent lateral movement of threats.
• Supporting asset risk assessment, including: detailed vulnerability intelligence, attack vector reports, etc.

5. Phase of Continuous Cybersecurity Monitoring

Security event logs are crucial for equipment safety. In addition to other benefits, they can be used for debugging, security vulnerability recovery, and event investigation. Security event logs should be protected and access should be limited to authorized individuals. The physical protection of security event logs should be addressed through media protection, physical protection, and environmental protection. This standard provides security event logs to responsible personnel for the maintenance and operation of assets and network defenses when necessary.

• Enable security event logs of endpoint systems and applications by default.
• For system event logs, at least include access control, configuration changes, and system errors.
• It is imperative to protect security event logs.
• Aggregate security event logs.
• Provide tools for monitoring and reviewing security logs, such as: OT EDR and OT IPS.
• Define security event logs in a machine-readable format.

6. Phase of Cybersecurity Maintenance

From the moment an asset is put into its intended production use, it begins to age and depreciate, and starts to undergo regular maintenance. This includes not just repairs, but also ongoing software configuration changes, system upgrades, and security updates to keep the asset in sync with the ever-changing factory floor. Sometimes, this is also necessary to comply with company security policies.

• Another scan is needed each time an equipment undergoes a software or configuration change.
• Confirm asset configuration and security update status.
• For assets that have not been updated, or cannot be updated, take mitigation measures, such as: virtual patches to defend against known vulnerability exploits.

How TXOne Networks Can Help

While cybersecurity standards have been established, this is just the first step for strengthening cybersecurity in the semiconductor industry. To effectively implement the principles of the standard, a fitting cybersecurity solution is needed to accelerate the introduction of cybersecurity standards into the semiconductor supply chain. TXOne’s solutions help related equipment manufacturers comply with SEMI cybersecurity standard and meet equipment cybersecurity requirements. On the other hand, it can also be used by enterprises using the equipment to implement a zero-trust cybersecurity protection framework for semiconductor production lines based on the with SEMI cybersecurity standard.

• Security Inspection: Portable Inspector uses a removable approach to provide effective malware scanning with independent computer and physical isolation. It can detect and remove malicious software by being inserted into the USB port of any Windows and Linux device without the need for software installation or rebooting the target system. In addition, Portable Inspector can collect asset information to generate an inventory list to increase IT/OT visibility and eliminate shadow IT/OT. With its use of an AES 256 hardware encryption engine and scanning of all files before storing data, it ensures that data is free from malware before being securely placed in storage.

• Endpoint Protection: Stellar offers organizations an all-in-one OT solution for long-term endpoint security coverage, securing modernized assets with a library of ICS applications and certificates. For fixed-use and legacy systems, Stellar locks them down so that they can only conduct tasks related to their role, and StellarOne empowers smooth management throughout the asset lifecycle from a single pane of glass.

• Network Defense: Edge series employs auto-rule learning technology to assist organizations in automatically generating a network trust list, and allows organizations to create and edit L2-L3 network policies strictly based on which assets need to communicate in order to do their work, highlighting all suspicious or potentially harmful activity. The Edge series also supports a wide range of industrial protocols and deeply analyzes network packets, enabling organizations to effectively block malicious behavior and errors without affecting production line operations. To protect legacy devices and production systems that are vulnerable to attack due to unpatched vulnerabilities, Edge series uses industry-leading signature-based virtual patching technology. In addition, Edge series minimizes the time required to configure and manage devices and can be easily deployed in an organization’s existing OT environment.

Conclusion

TXOne Networks experts have collaborated with leaders in the semiconductor industry to formulate a holistic solution, integrating the principles of zero-trust within every phase of the asset lifecycle. Through solutions security inspection, endpoint protection, and network defense, we can defend against each potential threat entry point from layer0 to layer3 in the OT/ICS environment, protect fundamental production and operation services, and minimize service interruptions. At the same time, we can satisfy the compliance simplification of SEMI E187, overcome challenges that IT security cannot, and build a robust defense network for semiconductor foundries to protect against cyber supply chain threats.