Most people have probably never heard of Taiwan Semiconductor Manufacturing Co. (TSMC). Most people would be surprised to learn that it is the seventh biggest tech firm in the world, placing just below Apple. In fact, according to Bloomberg, TMSC is the “sole maker of the iPhone’s main processor” and is currently preparing to begin producing chips for Apple’s next iPhone. Indeed, Apple accounts for 21% of TMSC’s income. So you’d have to figure that an attack that shut down three of its factories had to have some negative effects.
As of this writing, TMSC is giving few details about what exactly caused the closure of its factories. The Wall Street Journal claims that the company was attacked by a computer virus which was “a modified version of the WannaCry virus”. But calling it “a computer virus” is simply a way to obscure the facts. And, to add to the mystery, the company also claimed that the virus was not introduced by an outsider. The latest company statement on the problem states that the disruption was caused by a “mistake made during software installation that then spread through its network.” That was some mistake.
Without more details, it’s impossible to know what exactly they are talking about. How does a bad software installation shut down three factories? Since they referred to a “computer virus”, does this mean that malware was pre-installed on some important software that masked itself as an update? How long ago was this installation performed? Was this virus or malware on the network for a long time or did its installation instantly shut down the factories?
According to an update of the original Bloomberg article, “no confidential information was compromised in the virus attack”. So it now termed an “attack”, not just a problem caused by incompatible software. This conclusion seems confirmed by a statement from Chief Financial Officer, Lora Ho, who said, “TSMC has taken actions to close this security gap and further strengthen security measures.”
Okay, so what precisely was the security gap that needed closing? Because it now appears that the network was breached by someone either looking to disrupt operations or steal information. You don’t take the time to compromise the supply chain just for fun. In either case, it must have been a major business competitor or a hostile nation state that could benefit from such a disruption or benefit from some secret information it may be able to get its hands on.
This being the case, would anyone be surprised if China was behind this attack? Probably not. According to one source, Taiwan’s government networks are attacked by China at a rate of up to 40 million a month. China would like nothing more than to give one of Taiwan’s biggest tech companies a black eye. Doing so would make competing Chinese companies look better, by comparison. Maybe they could persuade Apple to depend less on TSMC for its chips and start using Chinese semiconductor producers.
Then again, maybe they wanted to steal information on the new iPhone chips. TMSC claims that no confidential information was accessed by the attackers. However, what would you expect them to say? In every major attack I have written on, the attacked company always initially downplays the attack. Over time, they release more details. The company has only stated that deliveries of new iPhones may be delayed and that TMSC may see a temporary 3% decrease in profits which will amount to a loss of about $250 million.
We may find out the truth if a Chinese smartphone maker suddenly comes out with a phone that is surprisingly similar to the new upcoming iPhone 9. But maybe the attacker’s plans were simply to sully the image of the iPhone by using malware that would change the manufacturing parameters on machinery used in iPhone chip production. Such actions would then result in the production of underperforming iPhones. These imperfect phones would have to be recalled and, in so doing, Apple’s reputation would suffer. We also cannot dismiss the possibility that the hacker wanted to put some sort of backdoor into the chips.
If this attack was engineered through contaminating software from a supplier, it would most definitely have to be the work of a nation state. Such an approach is simply far too sophisticated for a bedroom hacker. Connecting this malware to the WannaCry virus seems a bit of a stretch, but it is possible that it had some similarities. For me, it seems closer to a variation on the Stuxnet malware, similar to the Triton malware that shut down Saudi Aramco last year. Interestingly, when that particular attack was reported, Saudi Aramco claimed there had been no attack at all.
If we assume that China was behind this attack, we’d have to speculate on how they compromised the supplier. Without knowing who the supplier was, we can only assume attack strategies that have been identified by the United States Office of the National Counterintelligence Executive in their 2018 report. Besides normal cyber attack methods, China uses the following routes to get the information it needs to support its tech industries.
We would have to know the infected supplier to reach any conclusions as to how the malware may have been placed in the software without it being detected before distribution. It should be noted, however, that TMSC has a semiconductor fabrication plant (fab) in Shanghai. Just saying.
China is no newcomer to the ICS/ SCADA (Industrial Control System/ Supervisory Control and Data Acquisition) attack arena. These refer to the control system architecture of machinery or other infrastructure that sets production parameters. If tampering with machine control systems was, in fact, the attack vector China used against TMSC, no one would be surprised. China is the leader in this type of attack. In 2013, Trend Micro set up some honeypots that looked like valid SCADA networks. They wanted to see if they would be attacked and by whom. In short, they were quickly and robustly attacked. And who were the main attackers? The chart below will give you that answer.
Yes, China led the way with 35% of the attacks being attributed to them.
While we await details on this attack, we can only speculate on the consequences. The attackers may leak information on what they found out about the new iPhone to take away some of its thunder. Well, what a coincidence! Yesterday, August 8th, a Chinese publication called, Economic Daily News, leaked details of the new series of iPhones. The information was reportedly from a Foxconn employee, but who knows?
The debut of the new phones is expected in September, but that may be delayed. If a delay occurs, it may not only be because production was shut down for three days. If the malware was in the system for longer than the company admits, they may have to check to see if new chips and phones that may have already been produced possess faults. If the delay is longer than just a couple of weeks, the hack may have been more successful than the company has claimed.
At the very least, the attack may cast doubt on the reliability of the iPhone. Most hardcore iPhone users may not be phased. However, those contemplating a change to another brand may see this as the last straw and make a move to another maker. This will be especially true if, by sheer coincidence, a Chinese smartphone producer comes up with a phone that is almost a clone of the new iPhone. I guess we’ll just have to wait and see.