TSMC WannaCry Hits OT Plants with a Hefty Price Tag
Skybox Blog TeamOct 8, 2018
The TSMC WannaCry attack may feel like déjà vu, but it’s a lesson in vulnerability management.
You may never have heard of Taiwan Semiconductor Manufacturing Company (TSMC), but you’ve probably used their product. TSMC is Apple’s sole wafer supplier. And in August, they got hit with a WannaCry nearly a year and a half after the Microsoft patch and the global ransomware outbreak.
TSMC WannaCry Timeline
On March 4, 2017 Microsoft issued a Windows patch intended to counteract the vulnerabilities exploited by leaked NSA hacking tools utilized in WannaCry in bulletin MS17-010.
More than a year later, at least one Windows 7 computer still hadn’t received that patch, and that machine was installed — virus and all — at a fabrication plant on the internal network of TSMC. The computer was reportedly connected by a well-meaning plant employee on August 3, 2018, before being checked and protected against malware. WannaCrypt, the WannaCry variant present on the infected machine, then spread to more than 10,000 computers and “fab tools” at multiple TSMC foundry sites in Taiwan before forcing a day-long production halt and a couple days’ recovery. The disruption appears to have had a dramatic effect on the company’s financial performance, with a two-percent drop in its third-quarter revenue — to the tune of about $170 million.
Intrusion Vector of TSMC WannaCry Attack
Although the high-profile supplier of iPhone hardware has found themselves in the crosshairs of cyberattackers in the past, this incident was the first to strike its production lines. The TSMC WannaCry attack also notably wasn’t a targeted attack, no ransom demand was made and the affected systems simply crashed and rebooted continuously.
Ironically, the isolation of the affected network from the Internet — generally a crucial safeguard for sensitive operational technology (OT) systems — contributed to the ransomware’s ability to traverse it.
Shortly after the initial outbreak of WannaCry, it was discovered that it contained an unregistered domain name, which it was hardcoded to contact and from which to receive instructions. By registering that domain, security professionals coopted the command-taking functionality to simply disable every instance of WannaCry that called home (which they continued to do for quite some time).
In the case of the TSMC WannaCry attack, the unpatched machine had no way to make this communication and therefore continued to proliferate the malicious payload.
Response from TSMC
In a press release and subsequent press conference, TSMC stated that by August 6 the problem had been resolved, hoping to reassure the public as well as the company’s clientele that also includes AMD, Nvidia, Qualcomm and Broadcom. None of the affected industry giants released official responses to the incident, which is presumed to have affected them indirectly in the form of revenue depletion that may have resulted from the manufacturing delay.
There are estimates of tens of millions of still unpatched computers, clients and servers, all of them ripe for exploitation by WannaCry and its variants. Even air-gapped networks aren’t immune. If for some reason you still haven’t patched — now’s the time.
To learn more about how Skybox Security can help protect against WannaCry — even in OT networks — download our special report.
Does WannaCry Mark a New Era of Global, Distributed Cybercrime? In 2017, the Skybox Security Research Lab predicted a new business model, distributed cybercrime, that would result in a global malware outbreak. WannaCry was an example of such an outbreak.
Hackers Disrupt Critical Infrastructure Network Using Cisco Smart Install Flaw: Bot uses Shodan to detect vulnerable devices, 200,000 affected worldwide by Cisco Smart Install Client vulnerability.