It emerged on Friday that the Chinese hacker group “Chimera” had been able to spy on NXP for years. Its corporate network’s security proved inadequate, resulting in the theft of chip designs. But what in particular made NXP’s chips attractive to the Chinese hackers?
Dutch news outlet NRC revealed on Friday that Chinese cyber spies remained undetected in NXP’s corporate network between October 2017 and early 2020. Data breaches of login credentials on LinkedIn and Facebook, among others, would have allowed the attackers to “walk in through the front door” of the IT network. Two-step verification also proved easy to circumvent simply by changing phone numbers. Chimera went on to target chip designs and employee emails. The hackers then sluiced away the captured data through cloud services such as OneDrive and Dropbox. Thanks to lateral movements in the IT environment and secret digital visits every few weeks, the hacker group captured information continuously. Although NXP claims it suffered no material damage, it admits the attackers made off with intellectual property.
Tip: Login credentials are the main entry point for hackers into your cloud
NXP is Europe’s second-largest chip designer after ASML, with a market cap of 52 billion euros. Airline company Transavia was also targeted by the group, which led to the leaking of passenger passport data, among other things. Only when Chimera attacked Transavia did it turn out that this group had also caused the attack on NXP. Dutch security firm Fox-IT discovered that heavy Internet traffic linked the Chinese hackers with Eindhoven, Netherlands, NXP’s home base. Both companies are interesting targets for China, with NXP having specific IP in several areas the Chinese state would have been eager to get its hands on.
Automotive: everything from audio and interfaces to crash prevention
A look at NXP’s quarterly figures shows that the automotive sector provides a significant portion of the company’s revenue. This was already true in the 2017-2020 period when Chinese hackers were active, but remains the case today.
NXP’s automotive offering is substantial. Since splitting off from Philips in 2006, NXP has become a leader in chips tailored for the sector. It therefore has had ample time to optimize these semiconductor designs, doubtlessly benefiting from the meteoric rise of EVs. Over the past decade-and-a-half, the importance of this hardware has increased dramatically. Of particular interest are the In-Vehicle Network products. Among them, NXP offers FlexRay transceivers that can carry data within cars faster than its alternatives and is said to be crucial to keeping the amount of cabling within a vehicle minimal. NXP itself emphasizes the importance of weight reduction, savings in raw materials use, no emissions and minimal accidents.
In addition, NXP has chips that can provide assistive driving functions or take care of an efficient electricity consumption. It doesn’t stop there: interface controllers, audio and radio equipment and braking systems are also part of NXP’s offering. In short: this all would have represented a treasure trove for the hackers to loot, especially given the company’s long-standing expertise.
Now, the success of Chinese EV manufacturers in Europe is already considerable. Thanks to favourable trade rules, companies like MG (owned by China’s SAIC), BYD and Polestar (owned by Geely) have provided a “flood” of cheap EVs to our continent. The European Commission launched an investigation two months ago, hoping to learn more about the role that significant Chinese state subsidies play in supply from that country. As it happens, Chinese automakers are already particularly attractive to consumers as cheap alternatives to European brands. By snatching IP away from a party like NXP, these parties can gain ground in efficiency. This threatens to shift the balance even more in China’s favour.
‘Secure elements’: from public transport chip card to Apple Pay
NXP chips are not only in vehicles but also in your pocket. NXP are the driving force behind countless chips in access cards in public transport, hotels and elsewhere. NXP touts so-called MIFARE chips as highly secure options for several “Smart City” services. They can be found in the aforementioned cards, smartphones, wearables and keyfobs for contactless secure communication, among other things. Chinese hackers could threaten the security of these systems should they have obtained relevant information about them.
Also, NXP supplies Apple with components that make Apple Pay possible. Director of Dutch investor association VEB Gerben Everts told DataNews that the spying on NXP could have consequences in this area. Although material damage has been ruled out by the company, according to him, “the damage could still be enormous if Apple stops cooperation because [the security chip] would no longer be secure enough, for example.”
Conclusion: ambiguity reigns
Because NXP has only confirmed that the Chinese hackers made off with intellectual property, it is impossible to determine what exactly was captured. The fact that the company gave the hack little attention in previous annual reports doesn’t necessarily make it more likely that the damage in that area was limited. After all, it’s NASDAQ-listed, and ominous news could significantly damage its stock market value.
That’s why Everts advocates mandatory reporting of cyber incidents. Together with large companies, VEB wants to ensure that a statement on risk management becomes mandatory as of January 1. He also says the NXP hack is an example that any company can be vulnerable. “NXP was already more alert than ordinary companies,” he said.
Read also: The Netherlands gives NXP, ASML and Nearfield 230 million euro