At least three of their Annual Reports indicates they knew of the risk of attack.
Has there been any Ransomware Attacks that don't involve Windows machines?
"Risks Associated with Cyber Attacks
Even though TSMC has established a comprehensive internet
and computing security network, it cannot guarantee
that the Company’s computing systems which control or
maintain vital corporate functions ,such as its manufacturing
operations and enterprise accounting, would be completely
immune to crippling cyber attacks by any third party to
gain unauthorized access to its internal network systems,
to sabotage its operations and goodwill or otherwise. In
the event of a serious cyber attack, TSMC’s systems may
lose important corporate data and its production lines
may be shutdown indefinitely pending the resolution of
such attack. While TSMC also seeks to annually review and
assess its cybersecurity policies and procedures to ensure
their adequacy and effectiveness, it cannot guarantee that
the Company will not be susceptible to new and emerging
risks and attacks in the evolving landscape of cybersecurity
threats. These cyber attacks may also attempt to steal TSMC’s
trade secrets and other intellectual properties and other
sensitive information, such as proprietary information of the
Company’s customers and other stakeholders and personal
information of the Company’s employees. Malicious hackers
may also try to introduce computer viruses, corrupted software
or ransomware into the Company’s network systems to
disrupt its operations, blackmail it for regaining control of its
computing systems or spy for sensitive information. These
attacks may result in TSMC having to pay damages for its
delayed or disrupted orders or incur significant expenses
in implementing remedial and improvement measures to
enhance the Company’s cybersecurity network, and may also
expose the Company to significant legal liabilities arising from
or related to legal proceedings or regulatory investigations
associated with, among other things, leakage of customer or
third party information which TSMC has an obligation to keep
confidential. During 2017 and as of the date of this Annual
Report, the Company had not been aware of any material
cyber attacks or incidents that had or would expected to have
a material adverse effect on its business and operations, nor
had it been involved in any legal proceedings or regulatory
investigations related thereof.
In addition, the Company employs certain third party service
providers for TSMC and its affiliates worldwide with whom
the Company needs to share highly sensitive and confidential
information to enable them to provide the relevant services.
Despite that TSMC requires the third party service providers
to comply with the confidentiality and/or Internet security
requirements in its service agreements with them, there is no
assurance that each of them will strictly fulfill such obligations,
or at all. The on-site network systems of and the off-site cloud
computing networks such as servers maintained by such
service provider and/or its contractors are also subject to risks
associated with cyber attacks. If TSMC or its service providers
are not able to timely resolve the respective technical difficulties
caused by such cyber attacks, or ensure the integrity and
availability of its data (and data belonging to its customers
and other third parties) or control of its or its service providers’
computing systems, the Company’s commitments to its
customers and other stakeholders may be materially impaired
and its results of operations, financial condition, prospects and
reputation may also be materially and adversely affected as a
result." - https://investor.tsmc.com/static/annualReports/2017/english/...
There have been ransomware attacks against vulnerable NAS devices, but yes it's mostly Windows.
The biggest reason it's mostly Windows is not just worse security posture due to complexity but also that Windows is so popular in business, causing it to be the most aggressively attacked platform.
I expect that to change over time. I personally expect man-in-the-browser attacks to start targeting SaaS application data.
I suspect a secondary reason is that the way windows credentials and file shares are set up, you can really build one-size-fits-all malware that goes after creds and hashes in a fairly generic way.
There's a great Linux hardening guide that really made me question the common refrain about linux being more secure.
Out of the box on many distros it's not particularly that safe, it's widespread usage in servers rather than desktops means it's more the sensible firewalling and lack of user installed apps that's giving it the appearance of security.
>but also that Windows is so popular in business, causing it to be the most aggressively attacked platform
Yep, ransomware does nothing more than encrypting files users have read/write access to. The OS is not the limiting factor here. The access scope of users does. It really comes down to company IT and how they scope access (and lock down accounts with broader access like they are supposed to).
Also: prevent privilege escalation. That's the big issue every admin of Active Directory struggles with. I work as a pentester and we get domain admin rights within days (sometimes minutes) in about 95% of all engagements.
The nice thing about the legalese is it does let you know whether the thought has occurred to at least one person. Which is actually an important first step In avoiding the outcome.
Most "cybercrime avoidance" got pushed by insurances and GDPR. The problem is, it's mostly a set of bullshit checkboxes, intrusive surveillance software and utterly braindead "employee training programs" instead of actually useful measures.
From experience (was lead dev at company where sales let a bitlocker in and IT had mis-configured backup... which is normal for backup in most companies): It's all about what the infected machines can access. When my employer got hit, the problem was that there were many shared drives that the infected machines could access, and these were bitlockered. People would run programs off a shared drive, and get infected from that... then everything that machine had access to would get bitlockered. Backup was implemented where clients would push files to an open share and the share was backed up. The backups were bitlockered as a result. The shared drives were on a mix of linux and windows servers, and mac users that had shared folders the sales team could access had that data bitlockered. So, Windows was involved - it's how the bitlocker got in, but honestly, it was an emailed binary the salesperson ran that started the fun.
Incidentally, the dev team (mix of Windows, Linux, Mac) was completely unaffected because we did not have any open shares, remote access was done with SSH. We used a backup system that ran as a pull, where the machine being backed up could not directly access the backup store, so safe.
So yeah, Windows involved, but the damage was more about what infected machine had write access to on the network.
Wasn't really TSMC...but some info that was shared to Kinmax by TSMC. Totally different than TSMC being hacked directly...it's not like they hopped from Kinmax into TSMC's network either.
>LockBit targeted TSMC through one of its suppliers, Kinmax Technologies, an IT services provider specializing in networking, cloud computing, storage, security, and database management.
my experience is that usually this comes from CTO/director level and goes across the entire organization. middle managers don't have that much power, their role is just to spread (and watch) the requests across the teams.
>“Upon review, this incident has not affected TSMC’s business operations, nor did it compromise any TSMC’s customer information. After the incident, TSMC has immediately terminated its data exchange with this concerned supplier in accordance with the Company’s security protocols and standard operating procedures,” the company’s spokesperson told Cybernews.
I immediately think about what motivation China would have to do or not do something like this. As they get shut out of semiconductor technology and don’t actually have any real control over Taiwan, it seems like there is no downside other than not wanting to get caught.
I'm not sure what you mean by "in control", but they have their foot in the door of Taiwanese politics, and share a lot of common culture. They also live next door.
I'm curious what the real goal is with demands like this.
Surely, given the size of the demand, it is beyond the authority of TSMC to pay up, even _if_ they wanted to?
I imagine governments and authorities with any sort of stake in what could possibly be done with such a sum of money (it's unlikely to be used for Good, right?) would have an oversized say in whether or not they are allowed to pay it?
Is there recent precedent for ransoms of this size being paid?
What kind of data could they actually have "stolen" that's worth TSMC paying up $70M, rather than just writing it off?
TSMC is the largest semiconductor manufacturer in the world and they have technology and manufacturing processes literally no one else has. As of right now their market cap is roughly $500B. Surely they hold information that's worth more than $70M.
Institutional knowledge is more akin to the ship of Theseus. Good companies know this, after all, even super knowledgeable employees sometimes look the wrong way when crossing the street.
You would need most of the people. One high level person is meaningless. Sure you can say "Dave" knows everything, but any smart company knows Dave could retire, or die at anytime and so the important stuff he knows is spread among a bunch of other people. Often it is also written down, just not in an easy format.
That's a much higher bar than hacking into some computers. And also, as people pointed, unless you are wholesale kidnapping enough people to fill a prison, it doesn't work like that.
I'm aware of their position; The info in this dump is probably worth little not nothing, but, the interesting conversation to me is whether even if someone did get some of their secret sauce, could they really build another TSMC, or even something similar?
Sure, given a billion dollar budget, few years to work, and a legal environment that lets them use those stolen secrets. It can't be done cheap, overnight, or where the legal environment doesn't allow it. Really only China, while plenty of places have smart engineers, the rest cannot get the rest together (and if they tried it would kill their economy).
Note that TSMC depends on other companies for various parts. Without those they need even more money and time to duplicate it all. There is nothing they are doing that you can't hire engineers to duplicate. They figured it out, so anyone could. However it isn't easy, we could be talking about hundreds of billions of dollars.
A billion dollars is not enough. The cutting edge tech for euv lithography isn’t even TSMCs.
TSMC does not have secrets that put them ahead. It’s all about the culture of operations efficiency and just being first to invest in actually implementing cutting edge tech.
The lithography is one of the technologies needed that if they can't get can bump this up to a lot more than a billion dollar. It can still be duplicated, but it will take more time and $$$.
ASML is the only company that sells certain equipment needed for photolithography. These machines are physically large and sell for hundreds of millions of dollars. Their export is regulated by multiple governments and international treaties. There are intelligence agencies tracking every single one of those machines and ensuring they don't fall into the wrong hands.
I mean maybe but that is completely unrelated to what OP is asking. He's questioning whether they would have the ability and the authority to move that amount of money to a criminal.
My point is more about what could be done with $70M in the wrong hands; that's the bit I imagine authorities that might move to block a ransom pay from happening would care about.
A friend of a co-worker works for a contracting agency with services including incident response for data ransoms. He says their go-to tactic is to haggle with the ransomers to bring the ransom down to some fraction of what the customer paid them and then implying to the customer that they cracked the key.
Yes, though in the case I am most familiar with, making the payment was a big deal because the hackers were in a sanctioned nation, which makes sending payments there illegal. If I recall correctly they went through some intermediary but still made the ransom payment. Which goes against all of the annual import/export corpo training, but I guess they found a loophole.
Sure...but not the data that was stolen. This data might be equivalent to the employee handbook for all we know...everything states that it has nothing to do with their advanced technologies.
A cyber ransom demand at one of the most important companies in the world, a lynchpin of digital manufacturing is not reassuring at all. Can their security really be that bad?
Yes. You would be hard pressed to find any company in the entire world that could prevent attackers with a mere $1M budget. Banks, power plants, car companys, cybersecurity companys, factorys, you name it, almost certainly less than $1M. In fact, probably under $100K, but $1M is a safe upper bound. At a $10M budget there are zero. In fact, no CISO I have ever heard from has ever said that is even possible for a perfect implementation (i.e. they have free reign to implement everything they want as long as it does not make the company non-functional, but they get to be judge, jury, and executioner in that analysis). So yeah, given “perfectly implemented” security a $70M ransom has a guaranteed 700% ROI, but in practice closer to a over 7000% ROI.
Not really if you live in a high cost-of-living (HCOL) country. Vulnerability weaponization is a very globalized industry and sufficiently easy that there is a oversupply from LCOL countrys. The real money is in deployment and usage as that requires the much rarer and more local criminal and money laundering skill sets.
> Not really if you live in a high cost-of-living (HCOL) country. Vulnerability weaponization is a very globalized industry and sufficiently easy that there is a oversupply from LCOL countrys. The real money is in deployment and usage as that requires the much rarer and more local criminal and money laundering skill sets.
A single iOS or Android full chain still goes for between, 2-2.5 million USD.
A full chain is a difficult attack to create, and probably worth a lot more than $2.5 million - beyond the reach of one person. You need at least two novel, serious exploits. That's why they are so valuable.
> A full chain is a difficult attack to create, and probably worth a lot more than $2.5 million - beyond the reach of one person. You need at least two novel, serious exploits. That's why they are so valuable.
Depends if you're publicly selling via Zerodium as much, but if you sell privately it might be worth more.
> beyond the reach of one person
It's going to be difficult but I don't think its beyond one person, but even if it was you could easily just go for a less difficult tier to make less money more often.
The real problem would be how lumpy the payments would be, you'd effectively get nothing until you found something and most people cannot afford to that.
Not just their security, their backup policies too, right? Ransomware is completely powerless if you can delete and restore. You'd think investing in backup systems, policies, training, monitoring, which is best practice anyway, is cheaper than the horrible PR and costs of these ransoms.
They just hack the backups as well. Adds like 10% to their costs because those systems are also completely insecure.
Even a perfect backup system is easy to beat. You just infiltrate the running system and encrypt the dataflow into the backup system after you get in, do that for a few months, then strike; now they have to restore from multiple month old backups which is basically just as good.
Before you say that infiltrating for multiple months is unrealistic, that is actually industry average. It usually takes a few months to years to detect a active infiltration that is actively siphoning all data out of your systems as fast as it is being generated. That is not even a largely quiescent system like the backup encrypter, that is actual high bandwidth egress remaining undetected for months.
They have backups...most companies do. That is why these ransomware groups have turned to extortion instead...don't pay and we expose your sensitive info to the world. No amount of good backup policies can block a group from releasing this info.
Ransomware groups play a game of attacking the most valuable targets they can, without attracting so much attention that three letter friends start having meetings about them.
Crypto is a necessary component. And then many ransomware implants will also refuse to run on systems with RUS locale, for instance. The understanding seems to be that groups can avoid attention of local law enforcement as long as they do not make any waves locally.
Anyone else remember when Colonial Pipeline was attacked? The "ransomware as a service" platform[0] stepped in to say "oops, sorry, never mind" when they realized they'd attracted more attention than they were prepared for[1]:
> We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.
> Our goal is to make money and not creating problems for society.
> From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.
This one isn't causing immediate disruptions to regular people in the US, but it's still geopolitical-level meddling. If you want to run around mugging people, it's best to avoid robbing the police chief's best friend.
They do when it leaves the law enforcement world and goes to shadowy government agencies as in Colonial pipeline that have a lot more resources and don't have to play by many rules when dealing with hostile foreign based attacks. If LockBit suddenly crippled the US electric grid or stock market it would be the end of them. So these groups try to extract as much money as they can without getting that heat.
They will probably contact the real-life folks that were the basis for the character played by Liam Neeson in Taken.
"I don't know who you are. I don't know what you want. If you are looking for ransom I can tell you I don't have money, but what I do have are a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my daughter go now that'll be the end of it. I will not look for you, I will not pursue you, but if you don't, I will look for you, I will find you and I will kill you."
- Liam Neeson, Taken.
> In 2011, a self-proclaimed counter-terrorism expert was convicted of wire fraud after claiming the film was based on a real-life incident in which his daughter was killed. William G. Hillar, who pretended to be a retired Green Beret colonel, claimed to have spent more than 12 years lecturing US government agencies such as the Federal Bureau of Investigation on security issues. However, records revealed he had actually been a radar operator in the Coast Guard Reserve between 1962 and 1970, and had never been in the US Army. Nevertheless, his website claimed Taken was based on events involving him and his family. Hillar, who admitted the charges, was sentenced to 500 hours of community service at Maryland State Veteran Cemeteries. He also agreed to repay $171,000 in speaking fees that he had received from various organizations to which he had presented himself as an expert in terrorism and human trafficking.[29]
Russia is famously a country where you can buy full personal dossier of basically anyone for pocket change on dark net, with extremely corrupt law enforcement and literal private militaries operating on its territory.
If one set out to do it without much bureaucracy, it is honestly fairly simple given the resources.
You seriously think the US can't get a few mercenaries inside Russia if they wanted to? Especially in this case... I am reasonably sure more or less neutral forces like the Middle East states or India would rather frown at disrupting TSMC and wouldn't be against a little underhanded action to take a few civilians out. It's not like you are doing a coup or such, you just need to accident a few civilians.
> You seriously think the US can't get a few mercenaries inside Russia if they wanted to?
This would be unbelievably risky... The mercenary might get caught afterwards, before, or just be a Russian double agent from the start. And if any of that happens, you'd give Putin a massive refueling on his bonfire of anti-western propaganda.
> The mercenary might get caught afterwards, before, or just be a Russian double agent from the start.
If you're going to make things up, it might be an entirely successful poisoning done by the girlfriend of the head of the gang, days after her mom's bills for cancer treatment were entirely paid off. Then, a rumor goes around that she killed him to get to a secret account, and the evidence is that her mom's bills were paid off mysteriously. Days later, she's found dead in an alley; people assume that she was a victim of another member of the gang - even the other members of the gang assume it, although no one is talking. Meanwhile, it was an agent that had been placed as a clerk at a local tax office, on his lunch break.
You wouldn't hire some ex US special forces person hiding in Russia in deep cover, like a movie. You'd hire local thugs who works as enforcers for a gang to simply grab these guys and shove them in a van and deliver them to a warehouse.
These are cash-motivated criminals not ideological or patriotic fanatics. I imagine the interrogation would be like "You know why we captured you, right? Yes. Login and disable your entire network and live or we brutalize you until you do and then kill you. Ok."
Especially if this was at a government level (ie, not private "loss prevention") you'd be able to tap the intel network for local criminals and things to hold over their heads to motivate them.
How do you make sure these people don’t take money and vanish?
You tell them half payment before and half after? Then they leave with half and don’t do shit.
You say well I’m going to pay you all after job is done. Well they say fuck you, pay half now or we are not lifting a finger you want something from us not that we want anything from you.
Oh how do you track them down and beat them up if they are gone with your half payment? You hire next batch that do the same?
You really think anyone who isn't already sucking up to him cares what Vlad is saying? The US could probably do anything in Russia right now short of using a dirty bomb (and even then, as long as there are no US markings ..) and nothing would change.
Yes, many care, just like they did during the Cold War when the US and USSR would battle for the hearts of non-aligned countries. Much of the world is wary of the United States and thinks it is an out-of-control bully that answers to no one. That Russia invaded Ukraine isn't unnoticed by these countries but that doesn't give the US a free pass to do whatever it wants, wherever it wants. Lots of countries would like to see the US embarrassed for its continued overreach and bullying of smaller countries. Trying to conduct covert operations inside of Russia and getting caught would be a huge positive in the eyes of those who are routinely victimized by the meddling of the United State in everyone's affairs.
> Much of the world is wary of the United States and thinks it is an out-of-control bully that answers to no one.
I mean, bully is an emotionally weighted term; but that is precisely the situation. They're the hegemon/sole superpower. It's what nations in that position have done since time immemorial.
On the flipside, Pax Americana has been undeniably the most peaceful time in recorded human history. Conquest is nigh nonexistant, most empires are dead and war, poverty and sickness are at an all-time low. With many of the geopolitical and technological advances that led to that directly attributable to the United States and it's allies. The question isn't whether they are "bullies" or not, it's whether or not you think they're abusing that status and that the other options are nicer bullies. Empires fall throughout history, them losing superpower status would just be a footnote for those people's "gotcha"; so they better be sure the alternative is an improvement.
> That Russia invaded Ukraine isn't unnoticed by these countries but that doesn't give the US a free pass to do whatever it wants, wherever it wants.
Clearly it does. Unless/until someone wants to dismantle their position. Are they playing with fire by overutilizing that position? Certainly. But they're willing to risk that when it is particularly beneficial for them/their allies. What is Cuba, North Korea, Iran, Mexico, etc going to do about it?
> Lots of countries would like to see the US embarrassed for its continued overreach and bullying of smaller countries.
Lots of countries would like to see them embarrassed even if they did absolutely nothing. Again, that's the risk of being hegemon.
This is a lot more complex than just praising the US for the state of affairs past World War II. Bootstrapping Europe with the Marshall plan was great. But Western European peace is largely entrenched thanks to the Schuman Plan leading to the formation of the Steel And Coal Community eventually mutating into the European Union.
US efforts elsewhere are ... not great? While the US involvement in the 1949 coup in Syria is not clear, it's certainly sus how quickly the president approved a pipeline. Then there was Iran shortly after with Mossadegh (https://www.npr.org/2019/01/31/690363402/how-the-cia-overthr...) etc
Central and Southern America , well , can we even name a country where they haven't intervened for the worse?
I didn't praise the US anywhere in that post. I simply stated that the geopolitical situation resulting from their being "numbah one" (Pax Americana) has been, pretty much without question, the most warless, healthy, prosperous and equitable time in history. And that a significant portion of that is directly correlated to their political, militaristic and technological motives. When their direct/closest allies are added in, that grows to the vast majority. Nothing about that is praise, it's just fact.
Hating them is worth nothing, if the replacement (and it's geopolitical aura) is worse; beyond a "gotcha murricans" that would fade in a decade. Few would argue for the world being better if the Soviet Union "won" the Cold War and the US collapsed, especially given the current situation.
That all being said, we could easily take this offline and have a direct conversation on Latin America and how there are hundreds of ways it was positively affected by Pax Americana (even in a net positive, for most), despite the terrible things it's done. And how all of the other regional powers were acting in the exact same manner (worse, in many cases), but receive far less attention in the shadow of the US. My degree/education is in precisely that field, after all.
You're describing a standard CIA black op. And if they aren't going after a Russian government asset, I'd wager there would be less likelihood of catching heat, especially if the one's doing the work are native Russians looking to make a quick buck.
> You're describing a standard CIA black op. And if they aren't going after a Russian government asset, I'd wager there would be less likelihood of catching heat, especially if the one's doing the work are native Russians looking to make a quick buck.
Black OPs are not necessary, and would likely be too messy, what is more effective is flooding weapons into a border nation (like Ukraine) currently at conflict with Russia and then tapping into the local dissenting populace (aptly justified) and allowing them to infiltrate a porous border.
While I'm not stupid enough to think that the CIA aren't above such things, the truth is just like with Cuba/Castro they cannot resort to such tactics anymore: land invasions end up like Afghanistan and Iraq, Stuxnet leads to further instability for almost no gain (blame Israel/Mossad) and this seems more like what they did in the Iran-contra situation mixed in with operation fast and furious. This allows for nearly absolute plausible deniability, while also letting Russia know it's not beyond the West's touch.
The Pentagon/DoD supplying the weapons is just the right amount of overt message
that gets the pint across.
Geopolitics and War are absolutely disgusting, but at least their is a logic behind it instead of Red scare BS they were once so headlong to follow; what I ultimately fear is the path these psychopaths are likely to lead us as a Species down if this doesn't end soon.
Just by typing this out it reveals ignorance regarding this topic. The people who actually know how it's settled in Moscow and D.C. don't write replies on HN.
> those hollywood stories about mercs acting as in cia/jason-bourne movie in reality won't fly in Russia
Hollywood fantasies not withstanding, partisans have been operational in Russia and Belarus since at least the war began. In fact the counter offensive heavily relies on the use of Partisan [0] for sabotage, intel, and counter intelligence and likely will remain until the War ends, and possibly longer.
I think this will end in the end o the greater Russian Federation, last weekend it got close to showing what it will take: there too many warring factions with oligarchs, personal interest and access to private paramilitaries/mercenaries (Wagner being the most obvious) will not allow their standing as the effective ruling class be let go because they no longer support Putin and will back anyone who keeps them in their lofty positions--the collapse of the Soviet Union proved that many times over.
In short, a corrupt Mafia petrol-state has many enemies in and out of it's borders; to think their aren't people ready and willing to kill for vengeance is the real sense of fiction here. Hell, throughout the war their have been many examples of these 'Bourne' types, before the rounding up of fighting age men during the mobilization last year that led to millions of men fleeing Russia, recruitment centers were set ablaze in defiance to the war.
What gets me is if everyone knows this is the inevitable outcome, wouldn't the most logical thing to do is to back Nadya from Pussy riot or Alexi's forced escape and subsequent political aspirations or campaign. (I don't personally care who governs what will likely be a smaller Russia so long as they're contained, and their nuclear weapons are static).
> let me just tell you that you're in way over your head
>> Just by typing this out it reveals ignorance regarding this topic. The people who actually know how it's settled in Moscow and D.C. don't write replies on HN.
Funny, I was is in Ukraine in the Fall of '21 and I felt and knew Russia was going to invade by November, which was when Belarus and Poland were in a proxy war and I had to return into the EU during that debacle and saw how Hungary was locking it's borders.
By contrast no one was mentioning the possibility of Russia invading at that time, despite having put 75k troops in the Spring on the Ukrainian border in Belarus being a major contributor, with any real seriousness.
I'm well aware of what I don't know on these matters, but unlike most of you I have been involved in this matter since the Maidan Revolution. The creation of Uniterd24 was the manifestation of the technology WE in the Bitcoin community built, while you FAANG lackeys patted yourself on the back in creating a digital panopticon.
Let me remind you: we are not the same thing, so I'm not offended. I'm just aghast of how little you people grasp of the World and what is possible with allocating human capital to more noble causes. But since it isn't lucrative or even looked down as it is here (see my post history for examples of this laughable arrogance), if this weren't the case then maybe your opinion would have some value to me.
Just to be clear: I'm not a shot-caller, nor do I consider myself one as I'm an anarchist for a reason and detest the nature of politics/geopolitics to my very core; however, it's clear that COVID and this war has shown the horrendous nature of sleeping with despots these last 3 decades has and is mired with long term consequences for short term (but lucrative gains) for corporations and politicians.
Until you know what it feels like to see Fukushima and then seeing these moronic mobiks digging up trenches in Chernobyl and living in dread as they start shelling Zaporizhzhia while living on mainland Europe I will just never see any value in your opinions either.
Even if they are out of reach of western intelligence agencies, they are stepping on the Russian government’s toes with unsanctioned attacks on critical infrastructure.
Ratchet up enforcement and surveillance and sanctions on the whole ecosystem, so that their lives are all less pleasant. Given enough political willpower, the US could stop accepting it as the price of business, and even start finding WMDs in Iraq, so to speak.
E.g. move from sanctioning and charging the leaders to sanctioning and charging everyone in the whole operation, so they and their families can't leave Russia without facing arrest.
As long as they never leave Russia, they're fine... for now. But even Snowden knows Putin's imminent fall from power could upend his extradition protection.
Russia could touch anyone in the US that they really wanted to, and vice versa. There is just this understanding that whatever you do, they are going to know it was you most likely, and something is coming back. So Russia turning a blind eye to cybercriminals extorting the USA and others is their way at annoying the USA just as the USA does to them in various ways. But when that annoyance turns into something more than annoying, and verges on an act of war, there will be a response. That is why you don't really see foreign acts of assassination. Because other parties can do the same thing.
“We are apolitical, we do not participate in geopolitics” is something I’ve heard literally dozens of times from Russian civilian interviews over the war. It’s kind of amazing that some groups genuinely think that’s a valid explanation for any state sponsored/condoned/overlooked aggression, cyber or otherwise.
TSMC gets on the phone. Calls Vlad. Says, “It will be three hundred years before we sell an integrated circuit to any Russian entity unless you deliver to us the decryption keys, a complete description of everything on our network that was touched, and the thumbs of everyone involved. Hurry. If we recover from backups we’ll never need Russian language staff again, if you catch my drift.”
>this incident could potentially disrupt the supply of semiconductors and impact GPU prices. The global chip shortage has already led to increased prices and limited availability of GPUs. A disruption at TSMC could exacerbate this issue, potentially leading to further price hikes in the market for GPUs.
This is a non-sequitr. Yes there was a cyberattack, but you presented no evidence as to how this could affect chip production besides giving a bunch of anecdotes to what a disruption would do. The rest of the article is informative but I just didn't understand this part.
138 comments
[ 3.3 ms ] story [ 103 ms ] threadHas there been any Ransomware Attacks that don't involve Windows machines?
"Risks Associated with Cyber Attacks
Even though TSMC has established a comprehensive internet and computing security network, it cannot guarantee that the Company’s computing systems which control or maintain vital corporate functions ,such as its manufacturing operations and enterprise accounting, would be completely immune to crippling cyber attacks by any third party to gain unauthorized access to its internal network systems, to sabotage its operations and goodwill or otherwise. In the event of a serious cyber attack, TSMC’s systems may lose important corporate data and its production lines may be shutdown indefinitely pending the resolution of such attack. While TSMC also seeks to annually review and assess its cybersecurity policies and procedures to ensure their adequacy and effectiveness, it cannot guarantee that the Company will not be susceptible to new and emerging risks and attacks in the evolving landscape of cybersecurity threats. These cyber attacks may also attempt to steal TSMC’s trade secrets and other intellectual properties and other sensitive information, such as proprietary information of the Company’s customers and other stakeholders and personal information of the Company’s employees. Malicious hackers may also try to introduce computer viruses, corrupted software or ransomware into the Company’s network systems to disrupt its operations, blackmail it for regaining control of its computing systems or spy for sensitive information. These attacks may result in TSMC having to pay damages for its delayed or disrupted orders or incur significant expenses in implementing remedial and improvement measures to enhance the Company’s cybersecurity network, and may also expose the Company to significant legal liabilities arising from or related to legal proceedings or regulatory investigations associated with, among other things, leakage of customer or third party information which TSMC has an obligation to keep confidential. During 2017 and as of the date of this Annual Report, the Company had not been aware of any material cyber attacks or incidents that had or would expected to have a material adverse effect on its business and operations, nor had it been involved in any legal proceedings or regulatory investigations related thereof.
In addition, the Company employs certain third party service providers for TSMC and its affiliates worldwide with whom the Company needs to share highly sensitive and confidential information to enable them to provide the relevant services. Despite that TSMC requires the third party service providers to comply with the confidentiality and/or Internet security requirements in its service agreements with them, there is no assurance that each of them will strictly fulfill such obligations, or at all. The on-site network systems of and the off-site cloud computing networks such as servers maintained by such service provider and/or its contractors are also subject to risks associated with cyber attacks. If TSMC or its service providers are not able to timely resolve the respective technical difficulties caused by such cyber attacks, or ensure the integrity and availability of its data (and data belonging to its customers and other third parties) or control of its or its service providers’ computing systems, the Company’s commitments to its customers and other stakeholders may be materially impaired and its results of operations, financial condition, prospects and reputation may also be materially and adversely affected as a result." - https://investor.tsmc.com/static/annualReports/2017/english/...
The biggest reason it's mostly Windows is not just worse security posture due to complexity but also that Windows is so popular in business, causing it to be the most aggressively attacked platform.
I suspect a secondary reason is that the way windows credentials and file shares are set up, you can really build one-size-fits-all malware that goes after creds and hashes in a fairly generic way.
Out of the box on many distros it's not particularly that safe, it's widespread usage in servers rather than desktops means it's more the sensible firewalling and lack of user installed apps that's giving it the appearance of security.
Edit: the guide, first link is their rationale - https://madaidans-insecurities.github.io/guides/linux-harden...
Yep, ransomware does nothing more than encrypting files users have read/write access to. The OS is not the limiting factor here. The access scope of users does. It really comes down to company IT and how they scope access (and lock down accounts with broader access like they are supposed to).
At least Lockbit seems to have samples floating around for macOS [1].
> At least three of their Annual Reports indicates they knew of the risk of attack.
That's a pretty standard statement these days, it's legalese to prevent shareholders suing for improper statements/risk assessment after an attack.
[1] https://t3n.de/news/macos-version-ransomware-lockbit-1547612...
Incidentally, the dev team (mix of Windows, Linux, Mac) was completely unaffected because we did not have any open shares, remote access was done with SSH. We used a backup system that ran as a pull, where the machine being backed up could not directly access the backup store, so safe.
So yeah, Windows involved, but the damage was more about what infected machine had write access to on the network.
It just takes one.
https://airbus-seclab.github.io/ilo/BHUSA2021-Slides-hpe_ilo...
The bit about security is ironic.
When this is your selection bias, do the results surprise you?
Or by how nice the ties they wear are
https://cybernews.com/news/tsmc-data-breach-lockbit/
I'm not sure what you mean by "in control", but they have their foot in the door of Taiwanese politics, and share a lot of common culture. They also live next door.
They have 0 control in Taiwanese politics unless you consider interference having their foot in the door.
North Korea on the other hand use ransomware as one of their main ways of getting foreign currency.
What remains to be seen if the response (if any) to this. You tread a fine line when you threaten the worlds chip supply.
Surely, given the size of the demand, it is beyond the authority of TSMC to pay up, even _if_ they wanted to?
I imagine governments and authorities with any sort of stake in what could possibly be done with such a sum of money (it's unlikely to be used for Good, right?) would have an oversized say in whether or not they are allowed to pay it?
Is there recent precedent for ransoms of this size being paid?
What kind of data could they actually have "stolen" that's worth TSMC paying up $70M, rather than just writing it off?
Most of it probably isn't even on paper but in the minds of their top employees.
Note that TSMC depends on other companies for various parts. Without those they need even more money and time to duplicate it all. There is nothing they are doing that you can't hire engineers to duplicate. They figured it out, so anyone could. However it isn't easy, we could be talking about hundreds of billions of dollars.
TSMC does not have secrets that put them ahead. It’s all about the culture of operations efficiency and just being first to invest in actually implementing cutting edge tech.
ASML is the only company that sells certain equipment needed for photolithography. These machines are physically large and sell for hundreds of millions of dollars. Their export is regulated by multiple governments and international treaties. There are intelligence agencies tracking every single one of those machines and ensuring they don't fall into the wrong hands.
This is just one fatal flaw with the plan.
What, not even ASML that literally sells them that tech?:) No need to over dramatize.
It's not even 12 hours revenue for TSMC.
It is modern equivalent of "rocket science" decades ago
TSMC is amazing but they didn’t invent nor build the EUV lithography machines that enable their processes.
I tend to write this about whole semico, but this time I went just with TSMC, but it isnt fully correct
Think again. Companies try to hide it really well but million-dollar ransoms are paid all. The. Time.
Likewise with insurance payouts for kidnapping ransoms
https://www.theverge.com/2020/8/4/21353842/garmin-ransomware...
How valuable can this be?
A single iOS or Android full chain still goes for between, 2-2.5 million USD.
https://zerodium.com/images/zerodium_prices_mobiles.png
https://zerodium.com/images/zerodium_prices.png
if someone was skilled they could easily live in a HCOL area making 1-1.25 million USD a year.
Depends if you're publicly selling via Zerodium as much, but if you sell privately it might be worth more.
> beyond the reach of one person
It's going to be difficult but I don't think its beyond one person, but even if it was you could easily just go for a less difficult tier to make less money more often.
The real problem would be how lumpy the payments would be, you'd effectively get nothing until you found something and most people cannot afford to that.
Even a perfect backup system is easy to beat. You just infiltrate the running system and encrypt the dataflow into the backup system after you get in, do that for a few months, then strike; now they have to restore from multiple month old backups which is basically just as good.
Before you say that infiltrating for multiple months is unrealistic, that is actually industry average. It usually takes a few months to years to detect a active infiltration that is actively siphoning all data out of your systems as fast as it is being generated. That is not even a largely quiescent system like the backup encrypter, that is actual high bandwidth egress remaining undetected for months.
Crypto is a necessary component. And then many ransomware implants will also refuse to run on systems with RUS locale, for instance. The understanding seems to be that groups can avoid attention of local law enforcement as long as they do not make any waves locally.
https://www.bleepingcomputer.com/news/security/tsmc-denies-l...
> We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives.
> Our goal is to make money and not creating problems for society.
> From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.
This one isn't causing immediate disruptions to regular people in the US, but it's still geopolitical-level meddling. If you want to run around mugging people, it's best to avoid robbing the police chief's best friend.
[0] https://www.state.gov/darkside-ransomware-as-a-service-raas/
[1] https://www.theverge.com/2021/5/10/22428996/colonial-pipelin...
"I don't know who you are. I don't know what you want. If you are looking for ransom I can tell you I don't have money, but what I do have are a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you. If you let my daughter go now that'll be the end of it. I will not look for you, I will not pursue you, but if you don't, I will look for you, I will find you and I will kill you." - Liam Neeson, Taken.
https://en.wikipedia.org/wiki/Taken_(film)#Controversy
> In 2011, a self-proclaimed counter-terrorism expert was convicted of wire fraud after claiming the film was based on a real-life incident in which his daughter was killed. William G. Hillar, who pretended to be a retired Green Beret colonel, claimed to have spent more than 12 years lecturing US government agencies such as the Federal Bureau of Investigation on security issues. However, records revealed he had actually been a radar operator in the Coast Guard Reserve between 1962 and 1970, and had never been in the US Army. Nevertheless, his website claimed Taken was based on events involving him and his family. Hillar, who admitted the charges, was sentenced to 500 hours of community service at Maryland State Veteran Cemeteries. He also agreed to repay $171,000 in speaking fees that he had received from various organizations to which he had presented himself as an expert in terrorism and human trafficking.[29]
If one set out to do it without much bureaucracy, it is honestly fairly simple given the resources.
This would be unbelievably risky... The mercenary might get caught afterwards, before, or just be a Russian double agent from the start. And if any of that happens, you'd give Putin a massive refueling on his bonfire of anti-western propaganda.
If you're going to make things up, it might be an entirely successful poisoning done by the girlfriend of the head of the gang, days after her mom's bills for cancer treatment were entirely paid off. Then, a rumor goes around that she killed him to get to a secret account, and the evidence is that her mom's bills were paid off mysteriously. Days later, she's found dead in an alley; people assume that she was a victim of another member of the gang - even the other members of the gang assume it, although no one is talking. Meanwhile, it was an agent that had been placed as a clerk at a local tax office, on his lunch break.
If we're making things up.
These are cash-motivated criminals not ideological or patriotic fanatics. I imagine the interrogation would be like "You know why we captured you, right? Yes. Login and disable your entire network and live or we brutalize you until you do and then kill you. Ok."
Especially if this was at a government level (ie, not private "loss prevention") you'd be able to tap the intel network for local criminals and things to hold over their heads to motivate them.
You tell them half payment before and half after? Then they leave with half and don’t do shit.
You say well I’m going to pay you all after job is done. Well they say fuck you, pay half now or we are not lifting a finger you want something from us not that we want anything from you.
Oh how do you track them down and beat them up if they are gone with your half payment? You hire next batch that do the same?
I mean, bully is an emotionally weighted term; but that is precisely the situation. They're the hegemon/sole superpower. It's what nations in that position have done since time immemorial.
On the flipside, Pax Americana has been undeniably the most peaceful time in recorded human history. Conquest is nigh nonexistant, most empires are dead and war, poverty and sickness are at an all-time low. With many of the geopolitical and technological advances that led to that directly attributable to the United States and it's allies. The question isn't whether they are "bullies" or not, it's whether or not you think they're abusing that status and that the other options are nicer bullies. Empires fall throughout history, them losing superpower status would just be a footnote for those people's "gotcha"; so they better be sure the alternative is an improvement.
> That Russia invaded Ukraine isn't unnoticed by these countries but that doesn't give the US a free pass to do whatever it wants, wherever it wants.
Clearly it does. Unless/until someone wants to dismantle their position. Are they playing with fire by overutilizing that position? Certainly. But they're willing to risk that when it is particularly beneficial for them/their allies. What is Cuba, North Korea, Iran, Mexico, etc going to do about it?
> Lots of countries would like to see the US embarrassed for its continued overreach and bullying of smaller countries.
Lots of countries would like to see them embarrassed even if they did absolutely nothing. Again, that's the risk of being hegemon.
US efforts elsewhere are ... not great? While the US involvement in the 1949 coup in Syria is not clear, it's certainly sus how quickly the president approved a pipeline. Then there was Iran shortly after with Mossadegh (https://www.npr.org/2019/01/31/690363402/how-the-cia-overthr...) etc
Central and Southern America , well , can we even name a country where they haven't intervened for the worse?
Hating them is worth nothing, if the replacement (and it's geopolitical aura) is worse; beyond a "gotcha murricans" that would fade in a decade. Few would argue for the world being better if the Soviet Union "won" the Cold War and the US collapsed, especially given the current situation.
That all being said, we could easily take this offline and have a direct conversation on Latin America and how there are hundreds of ways it was positively affected by Pax Americana (even in a net positive, for most), despite the terrible things it's done. And how all of the other regional powers were acting in the exact same manner (worse, in many cases), but receive far less attention in the shadow of the US. My degree/education is in precisely that field, after all.
those hollywood stories about mercs acting as in cia/jason-bourne movie in reality won't fly in Russia
Black OPs are not necessary, and would likely be too messy, what is more effective is flooding weapons into a border nation (like Ukraine) currently at conflict with Russia and then tapping into the local dissenting populace (aptly justified) and allowing them to infiltrate a porous border.
While I'm not stupid enough to think that the CIA aren't above such things, the truth is just like with Cuba/Castro they cannot resort to such tactics anymore: land invasions end up like Afghanistan and Iraq, Stuxnet leads to further instability for almost no gain (blame Israel/Mossad) and this seems more like what they did in the Iran-contra situation mixed in with operation fast and furious. This allows for nearly absolute plausible deniability, while also letting Russia know it's not beyond the West's touch.
The Pentagon/DoD supplying the weapons is just the right amount of overt message that gets the pint across.
Geopolitics and War are absolutely disgusting, but at least their is a logic behind it instead of Red scare BS they were once so headlong to follow; what I ultimately fear is the path these psychopaths are likely to lead us as a Species down if this doesn't end soon.
Hollywood fantasies not withstanding, partisans have been operational in Russia and Belarus since at least the war began. In fact the counter offensive heavily relies on the use of Partisan [0] for sabotage, intel, and counter intelligence and likely will remain until the War ends, and possibly longer.
I think this will end in the end o the greater Russian Federation, last weekend it got close to showing what it will take: there too many warring factions with oligarchs, personal interest and access to private paramilitaries/mercenaries (Wagner being the most obvious) will not allow their standing as the effective ruling class be let go because they no longer support Putin and will back anyone who keeps them in their lofty positions--the collapse of the Soviet Union proved that many times over.
In short, a corrupt Mafia petrol-state has many enemies in and out of it's borders; to think their aren't people ready and willing to kill for vengeance is the real sense of fiction here. Hell, throughout the war their have been many examples of these 'Bourne' types, before the rounding up of fighting age men during the mobilization last year that led to millions of men fleeing Russia, recruitment centers were set ablaze in defiance to the war.
What gets me is if everyone knows this is the inevitable outcome, wouldn't the most logical thing to do is to back Nadya from Pussy riot or Alexi's forced escape and subsequent political aspirations or campaign. (I don't personally care who governs what will likely be a smaller Russia so long as they're contained, and their nuclear weapons are static).
0: https://archive.is/YfOfQ
ps no offence and I don't expect you to change your opinion or how you view the world
>> Just by typing this out it reveals ignorance regarding this topic. The people who actually know how it's settled in Moscow and D.C. don't write replies on HN.
Funny, I was is in Ukraine in the Fall of '21 and I felt and knew Russia was going to invade by November, which was when Belarus and Poland were in a proxy war and I had to return into the EU during that debacle and saw how Hungary was locking it's borders.
By contrast no one was mentioning the possibility of Russia invading at that time, despite having put 75k troops in the Spring on the Ukrainian border in Belarus being a major contributor, with any real seriousness.
I'm well aware of what I don't know on these matters, but unlike most of you I have been involved in this matter since the Maidan Revolution. The creation of Uniterd24 was the manifestation of the technology WE in the Bitcoin community built, while you FAANG lackeys patted yourself on the back in creating a digital panopticon.
Let me remind you: we are not the same thing, so I'm not offended. I'm just aghast of how little you people grasp of the World and what is possible with allocating human capital to more noble causes. But since it isn't lucrative or even looked down as it is here (see my post history for examples of this laughable arrogance), if this weren't the case then maybe your opinion would have some value to me.
Just to be clear: I'm not a shot-caller, nor do I consider myself one as I'm an anarchist for a reason and detest the nature of politics/geopolitics to my very core; however, it's clear that COVID and this war has shown the horrendous nature of sleeping with despots these last 3 decades has and is mired with long term consequences for short term (but lucrative gains) for corporations and politicians.
Until you know what it feels like to see Fukushima and then seeing these moronic mobiks digging up trenches in Chernobyl and living in dread as they start shelling Zaporizhzhia while living on mainland Europe I will just never see any value in your opinions either.
Are you talking about https://u24.gov.ua/ ? Not a trace of crypto... (obviously since all crypto is a scam.)
E.g. move from sanctioning and charging the leaders to sanctioning and charging everyone in the whole operation, so they and their families can't leave Russia without facing arrest.
Don't link everything to one ongoing conflict. Business interests continue unabated even in the darkest of times.
This is a non-sequitr. Yes there was a cyberattack, but you presented no evidence as to how this could affect chip production besides giving a bunch of anecdotes to what a disruption would do. The rest of the article is informative but I just didn't understand this part.