WannaCry Outbreak Hits Chipmaker, Could Cost $170 MillionFactories Crippled After WannaCry Variant Infects Unpatched Windows 7 Machines
Taiwan Semiconductor Manufacturing Co., the world's largest chip manufacturer, says a WannaCry infection hit unpatched Windows 7 systems in its fabrication facilities, leaving multiple factories crippled. The chipmaker traced the infection to a new software tool that it failed to scan for malware before installation, and says the outbreak could cost it $170 million.
The publicly traded company first reported that the ransomware outbreak would have a 3 percent impact on its third quarter revenue, but subsequently revised the impact down to 2 percent. The company also faces delays in shipping its wafers, although it says in a statement that it expects to catch up on these in the fourth quarter.
The chipmaker says the outbreak was not the work of a hacker. "Data integrity and confidential information was not compromised," it says in a statement.
"This is purely our negligence. so I don't think there is any hacking behavior," CEO C.C. Wei told reporters on Monday. "We regret this. There won't be any more human errors."
TSMC, based in Hsinchu, Taiwan, supplies chips to Apple, Qualcomm, Nvidia, AMD and more; it's the sole supplier of Apple's main iPhone processor. TSMC also recently began manufacturing 7 nanometer chips, which are expected to appear in the coming months in new mobile devices from Apple and Samsung.
WannaCry, which U.S. and U.K. authorities believe was developed by North Korea, has struck as many as 300,000 endpoints in 150 countries since May 2017. The ransomware, which demanded $300, is so potent because it had been engineered as a worm designed to jump from infected computers to new, vulnerable ones.
The ransomware continues to sting organizations. In March, Boeing said a malware outbreak affected a small number of non-production systems. The Seattle Times reported that the malware was WannaCry (see Boeing Confirms 'Limited' Malware Outbreak).
TSMC says it will now strengthen its operating procedures.
"In addition, the company will continue to keep abreast computer virus trends, immediately perform appropriate anti-virus measures in its fabs [fabrication facilities] and further strengthen information security," it says in a statement.
No Virus Scanning
TSMC has shed some light on how it became infected.
The company installed a new software tool on Friday, TSMC spokesman Michael Kramer tells ISMG. The tool, however, was not confirmed to be virus-free before connecting to TSMC's network, which allowed it to enter the network, he says.
"In other words, this tool arrived at our facility with a virus already on it," Kramer says. "The tool was connected to our network without first scanning for viruses - that was the misoperation."
Once on TSMC's systems, the variant of WannaCry did not encrypt hard drives or ask for a ransom. Instead, "it caused our systems to crash or continually reboot," Kramer says.
The outbreak at TSMC is a reminder that patching is not always an easy endeavor in manufacturing environments because any code changes must be rigorously tested to ensure they don't have a real-world impact - for example on industrial control systems or supervisory control and data acquisition systems, which control the software and hardware that runs manufacturing processes. Indeed, ICS and SCADA systems may have a lifespan of 20 to 30 years. Many were never designed to be internet connected.
Many security experts believe that TSMC - wisely - does not have its fabrication production systems directly connected to the internet. In theory, that makes the companies' systems less susceptible to internet-borne viruses. Unfortunately, it also means that WannaCry-infected systems would not have been able to reach a "kill switch," which otherwise could have arrested its WannaCry outbreak, says Kevin Beaumont, a U.K.-based security researcher.
The kill switch was famously discovered by security researcher Marcus Hutchins, who is facing federal hacking charges in the U.S. Before his arrest in August 2017 after attending the Def Con conference in Las Vegas, however, he blunted WannaCry's impact in May 2017 after discovering that the ransomware would quit running if it detected that a specific domain was live. He registered the domain, creating a so-called kill switch or sinkhole, which remains live today (see WannaCry 'Hero' Pleads Not Guilty, Allowed Back Online).
Couple of learning points - non-internet facing networks can't see sinkhole, through 2017 it was Microsoft's biggest AV detection still (bigger at end of year than outbreak), hits of @kryptoslogic sinkhole domain suggest ~400k+ unique IPs still infected, with NAT meaning = more.— kevin (@GossiTheDog) August 6, 2018
Later versions of WannaCry, however, do not have an encoded kill switch domain. Hence if TSMC was infected by one of those versions, the lack of direct internet connectivity would not have mattered.
But TSMC could have avoided the outbreak altogether if it had patched the vulnerability that WannaCry exploited.
The company says in a separate statement that "this virus infected fab tools and automated materials handling systems, as well as related computer systems, which used Windows 7 without patched software for their tool automation interface. It caused affected tools to become inoperable and rendered certain automated materials handling systems unable to function normally."
"This is purely our negligence so I don't think there is any hacking behavior."
—C.C. Wei, CEO, TSMC
The Windows exploit that was built into WannaCry traces to a mysterious group called the Shadow Brokers, which leaked details of the exploit and an associated attack tool in April 2017. It's unknown how the group obtained the attack tool, which security experts believe was developed by the National Security Agency (see Report: Shadow Brokers Leaks Trace to NSA Insider).
The exploit leaked by Shadow Brokers targeted a vulnerability in the Windows server message block protocol, which is used for file sharing. Microsoft patched the SMB_v1 flaw in March 2017 for supported operating systems, and after the WannaCry outbreak, issued fixes for older operating systems as well (see WannaCry Outbreak: Microsoft Issues Emergency XP Patch).
WannaCry: Not Dead Yet
Despite the availability of patches, however, organizations continue to get stung by WannaCry more than a year after it first appeared.
"All it takes is lack of patching + vendor brings in infected laptop = bad weekend," Beaumont writes on Twitter.
In fact, WannaCry was the most prevalent piece of malware seen in the wild in June, when it accounted for 38 percent of the top 10 most seen malware samples, according to the Center for Internet Security.
Beaumont says that more than 400,000 IP addresses - each a WannaCry-infected endpoint - have contacted the sinkhole. He notes that there are likely many more machines that are behind network address translation gateways that remain infected but which cannot be counted because they're not pinging the sinkhole.
Kryptos Logic, the company that controls the WannaCry kill switch, likewise wrote in April that WannaCry "is still very much active."
For the whole of March, "we have observed approximately 100 million connection attempts, from 2.7 million unique IPs, on the kill switch," the company said. "This has been the trend for almost a year with little sign of slowing down."
As a result, even if organizations have no detectable WannaCry infections, they can be "reasonably susceptible to an outbreak at any given moment if patching is incomplete," Kryptos Logic said.
"The perfect storm exists where endpoints have no AV installed and Windows is not updated," it said. "Ironically, this is quite typical of the most critical production environments. Organizations most at risk are those unaware of hosting residual infections and which operate unpatched adjacent systems."
Executive Editor Mathew Schwartz contributed to this story.