Hit with $70M ransom demand, TSMC pins LockBit hack on breached supplier

Taiwan Semiconductor Manufacturing Company (TSMC) has blamed one of its equipment suppliers for the LockBit breach that has exposed the chip-making giant to a $70 million ransom demand.

The company has identified the breached third-party supplier as Kinmax Technology, a Taiwan-based system integrator, without divulging the nature of the data compromised.

"TSMC has recently been aware that one of our IT hardware suppliers experienced a cybersecurity incident, which led to the leak of information pertinent to server initial setup and configuration," TSMC said.

On Thursday, one of the affiliates of the LockBit ransomware gang, National Hazard Agency, shared screenshots of directory listings of stolen TSMC files on its leak website, giving TSMC an August 6 deadline to pay $70 million.

Failure of payment would cause the hacker group to leak exfiltrated info, including network login credentials for TSMC's IT network, the post said.

TSMC blames third-party breach

TSMC claimed that third-party supplier Kinmax, the system integrator that works with leading technology players like Hewlett-Packard, Microsoft, VMware, Cisco, and Fortinet, experienced a system breach that exposed its customers to threats.

However, the security breach "has not directly affected TSMC’s business operations, nor did it compromise any TSMC’s customer information," TSMC said. "After the incident, TSMC has immediately terminated its data exchange with this supplier in accordance with the company's security protocols and standard operating procedures."

National Hazard Agency, said it is prepared to publish a list of what it calls "points of entry" into TSMC's network and passwords and login information for them.

"This breach is a great example of why machine identities are just as important as employee identities," said Lior Yaari, CEO and co-founder of Grip Security. "Data is everywhere and accessed from anywhere by anybody. Companies who are able to secure employee and machine identities will be more secure than those that cannot."

Kinmax issues apology, downplays breach

Kinmax has issued a letter to its customers regarding an intrusion the supplier discovered within its internal testing environment on June 29, allowing unauthorized access to system installation preparation information. It said the breached information has nothing to do with the actual application of the customer, just the basic setting at the time of shipment.

"The leaked content mainly consisted of system installation preparation that the company provided to our customers as default configurations," the Kinmax letter read. "At present, no damage has been caused to the customer and the customer has not been hacked by it."

Neither TSMC nor Kinmax has publicly confirmed the claims made by LockBit regarding the unauthorized possession of critical TSMC data. Neither party has revealed whether any or both of them would pay the $70 million demand made.

"We would like to express our sincere apologies to the affected customers, as the leaked information contained their names which may have caused some inconvenience," Kinmax said. "The company has thoroughly investigated this incident and implemented enhanced security measures to prevent such incidents from occurring in the future."