TSMC faces $70 mn LockBit ransomware demand, blames it on IT supplier

Semiconductor manufacturing firm Taiwan Semiconductor Manufacturing Company (TSMC) has reportedly been hit by a ransomware attack that was carried out by Russian ransomware gang LockBit, which has demanded a $70 million ransom for the stolen data.

Based in Taiwan, TSMC is a leading player in semiconductor supply chain, manufacturing and is responsible for 65% of the world’s semiconductors and 90% of the high-end chips for companies such as Apple, AMD, Nvidia and Qualcomm. While TSMC has confirmed the breach, it has refuted claims that company operations have been disrupted by the incident.

In fact, the $74.9 billion chip manufacturer said on Saturday, one of its suppliers, IT services provider Kinmax Technologies, has been breached, which have led to the chipmaker’s data being stolen.

Kinmax specialises in networking, cloud computing, storage, security and database management and was apparently breached. On 29 June, the company mentioned in its blog that its “internal specific testing environment was attacked, and some information was leaked”. The leaked content “mainly consisted of system installation preparation that the company provided to our customers,” the company said.

A Trend Micro report published in November 2022 reveals that 52% of global organizations have a supply chain partner that was hit by ransomware. Another example would be the compromise of IT management software provider Kaseya in 2021. Ransomware hackers exploited an internal software vulnerability to push out malicious updates to its managed service provider customers. An estimated 1,500-2,000 organisations were impacted.

TSMC has issued a statement saying that it is aware of an intrusion into its systems via a third-party hardware supplier, “which led to the leak of information pertinent to server initial setup and configuration.” It claims no customer data was exposed in the breach.

The statement added, “After the incident, TSMC has immediately terminated its data exchange with this concerned supplier in accordance with the company’s security protocols and standard operating procedures”.

LockBit has not specified the amount of data it managed to already get from the company, but it has set a deadline of 6 August for payment of the ransom, or it claims it will release the data onto the dark web for everyone to see.

The dark web blog also gives the option to extend a 24 hour-time for the price of $5,000, or to destroy all information or download all data at any moment for the amount demanded. 

LockBit is a Russian ransomware gang that emerged onto the cybercriminal landscape in 2019. Up to the first quarter of 2023, LockBit has had nearly 1,700 attacks have been conducted by LockBit against US targets since 2020, wherein it was able to rake in almost $91 million, according to a report released by US cybersecurity agency CISA published in April this year.

The increasing frequency and size of ransomware attacks are becoming a huge concern for thousands of organizations in other parts of the world too. In February, LockBit attack targeted UK-based postal services, Royal Mail, causing severe disruption to all international deliveries. U.K high street retailer WH Smith has been hit was also hit by the ransomware gang in March, leading to a breach to their existing employee data.

Last month, Indian pharmaceutical manufacturing firm Granules India was claimed to be compromised by the LockBit ransomware group, and prior in March, SRF, a multi-business chemicals manufacturer based in India also fell victim to the Russian gang in March this year.

A study done by staffing firm Teamlease Digital published on June this year said that there has been a rise in global weekly cyber-attacks, exceeding 1,200 attacks per week, in the first five months of the year, while Indian organizations experienced over 2,000 weekly attacks in Q1 2023, marking an 18% increase from the previous year. 

Further, the annual Verizon Data Breach Investigations Report, published by technology firm Verizon, in June, revealed that the cost per ransomware incident doubled over the past two years. The median loss more than doubled from last year to $26,000, with 95% of incidents costing between $1 and $2.25 million, the report said.