A China-linked hacker group, identified as 'Chimera,' maintained undetected access to the computer network of the Dutch chip giant NXP Semiconductors for over two years, according to a report from the Dutch daily newspaper NRC.
The breach, which occurred from the end of 2017 to spring 2020, involved the theft of crucial data, including chip designs.
The cyber spies gained entry into NXP's network through compromised employee accounts. Once inside the company's network, the hackers navigated their way to secure servers, seeking out valuable chip designs and other proprietary information.
The cyber intrusion came to light due to a separate attack on Dutch airline Transavia, a subsidiary of KLM, which was conducted by the same threat actor.
In September 2019, hackers infiltrated Transavia's reservation systems, prompting an immediate investigation. Subsequently, the inquiry into the Transavia breach uncovered communications with NXP IP addresses, which led to the uncovering of the extensive compromise of NXP's computer systems.
According to the report, the attackers obtained employees’ account information from previous data leaks from other web services, such as LinkedIn or Facebook. The hackers used brute force to access the company’s VPN network, bypassing double authentication security protections implemented by NXP by altering phone numbers. Every few weeks the hackers would check for new sensitive data and then they would exfiltrate it via cloud storage services such as Microsoft OneDrive.
Based on tools and techniques used in the campaign security researchers have attributed it to a China-based threat actor tracked as Chimera (G0114). The group’s name is derived from the software with which the hackers connect and siphon data. They use ChimeRAR, a modified version of a data compression program.
The threat actor’s goal is to steal intellectual property, such as chip documents, semiconductor designs and software, and source code. According to cybersecurity researchers, throughout 2018 and 2019 Chimera compromised at least seven Taiwanese semiconductor equipment makers.
Following the cyberattack, the Dutch chipmaker took steps to tighten its security to prevent future and more serious attacks. In September 2023, the company suffered a data breach involving customer private information. The chipmaker didn’t reveal how many customers were impacted by the breach but said that intruders had acquired “basic personal information” from a system connected to NXP’s online portal, including customers’ full names, email addresses, postal addresses, business phone numbers, mobile phone numbers, company names, job titles and descriptions, and communication preferences.