Taiwan Semiconductor Denies LockBit's $70M Hack ClaimThird-Party Supplier Hacked; TSMC Says Leak Only Affected Initial Setup Files
The world's largest chip manufacturer has dismissed the LockBit 3.0 ransomware gang's hack claim and $70 million ransom demand. Taiwan Semiconductor Manufacturing Co. said the data leak took place at a third-party supplier and contains only certain initial configuration files. It said customer information and operations were not affected.
The LockBit 3.0 ransomware gang on Thursday listed TSMC on its dark web leak site. The extortionist group claims to have confidential data of the chip-making giant and posted four screenshots to support its claim.
LockBit said it will delete all the information and remove the company listing from the leak site if TSMC pays the $70 million ransom. But in case of payment refusal, the gang threatened to publish the leaked data along with entry points into the company's network with login credentials.
LockBit set a deadline of Aug. 6 to meet its ransom demand, which can be extended by another 24 hours for $5,000, LockBit's post said. The group also said it is ready to sell the data to interested buyers at the same price that it is offering TSMC to delete the data dump.
These claims of a direct hack of its IT systems were quashed by a TSMC spokesperson who told Information Security Media Group the data leak actually had affected Kinmax Technology Inc., one of its IT hardware suppliers.
The leaked information is related to a server initial setup and configuration, the spokesperson said. "Upon review, this incident has not affected TSMC's business operations, nor did it compromise any TSMC's customer information," the spokesperson confirmed.
Kinmax confirmed on Friday that the company had detected an attack on one of its test environments, and adversaries had siphoned off some relevant information.
"The environment under attack is the engineering test area. This is the system installation environment prepared for customers. The captured content is parameter information such as installation configuration files," Kinmax said. "Since the above information has nothing to do with the actual application of the customer, it is only the basic setting at the time of shipment. At present, no damage has been caused to the customer, and the customer has not been hacked by it."
Kinmax shut down the infected network section and systems that were then investigated by an unnamed third-party cybersecurity company hired to assess the situation and support incident response. The cybersecurity company found that the rest of the network was normal and uncompromised, Kinmax said.
"The company's operating conditions are all normal and have not caused substantial losses to the company. At the same time, the investigation bureau has also completed the case filing and has begun with the criminal investigation," Kinmax added.
While Kinmax is gauging the risk footprint and reviewing, improving and strengthening information security measures, TSMC immediately terminated its data exchange with the supplier in accordance with the company's security protocols and standard operating procedures. "TSMC remains committed to enhancing the security awareness among its suppliers and making sure they comply with security standards," the TSMC spokesperson said.
Ransomware attacks have soared in recent months; there were 436 victims in May. LockBit 3.0 leads the list of attackers by far and is the most active threat actor in 2023, responsible for 78 known victims in May, or 18% of all known ransomware incidents. The closest rival of LockBit is a newer group called 8Base that has hit nearly 80 organizations since March 2022 (see: New Ransomware Actor 8Base Rivals LockBit in Extortion).