In March, Nexperia, a leading manufacturer of silicon-based processors based in The Netherlands, and a subsidiary of China-based Wingtech Technology, was the victim of a ransomware attack. The hack has been attributed to a RaaS group called Dark Angels, or the Dunghill Group. This is the same group that hit Johnson Controls with a $51 million ransomware demand late last year.
This latest exploit targeted the chipmaker’s servers, encrypting over 1TB of data that included semiconductor designs, production dashboards, research and development information, detailed employee data, and privileged information on an estimated 900 customers, including Huawei, SpaceX and Apple. Nexperia was forced to shut down IT systems and has launched an investigation to determine the full scope of the attack. Law enforcement was also notified.
Dark Angel has released some of the files as proof of the attack and is threatening to leak everything unless their ransom is paid. Nexperia operates semiconductor fabrication plants in Germany and the UK, and produces a collection of other electronic components.
To gain further insight on the attack and what it means for the industrial sector, I recently sat down with cybersecurity experts James McQuiggan of KnowBe4, and Sean McNee of DomainTools.
Jeff Reinke, editorial director: This is Dark Angel’s second high-profile attack against a manufacturer in the last six months. What more can you tell us about this group?
James McQuiggain, Security Awareness Advocate, KnowBe4: Over the past decade, ransomware groups have usually been the culmination of other cybercriminal groups that have merged to collaborate in their attacks. While information is limited, some programs stem from a leaked cybercriminal group called Babuk.
Either they've leveraged the leaked software for their own attacks against VMWare servers, or they were involved in the development, hence the notion that this group is made up of former cybercriminals.
Sean McNee, VP of Research and Data, DomainTools: The Dark Angels first appeared early 2023. Babuk itself has been around since at least the start of 2021. It is unclear if the Dark Angels are a rebranding of the team who created Babuk or if they just acquired the source code. Since then, the Dark Angels have created additional tooling to target a wider variety of computer platforms.
The original Babuk ransomware is Microsoft Windows-based, whereas this new tooling contains Linux and VMware ESXi-focused payloads.
This group seems to have been targeting energy, manufacturing, and automation control companies who have operations in and around the South China Sea. What sets Dark Angels apart is their threats to release the data to Chinese, Indian, or other competitors. While Dark Angels operates as an independent ransomware actor, their practices do suggest an alignment to China’s “Made in China 2025” initiative, as many of the industries targeted align to the key sectors, advantages, and goals as laid out in MIC 2025.
JR: While nothing has been confirmed, similar attacks have been the result of hackers accessing servers via compromised login credentials. What lessons still need to be learned or reinforced regarding login/access security?
JM: Organizations need to utilize threat intelligence groups or have their resources to monitor for credentials being leaked in these various groups and on the dark web. When one of their credentials is discovered, they need a well-documented and repeatable process to implement a password reset of those credentials as soon as possible.
SM: Following the wisdom of Shrek, cybersecurity best practices are like onions--they should be implemented in layers. The most core layers relate to ensuring password management, possibly via password managers, enabling multi-factor authentication whenever possible, and performing regular access audits.
Just as important is ensuring there are regular patching and updating of critical systems, providing training to employees and vendors, and setting up incident response plans to ensure an organization can respond quickly to possible events.
Executing on the base layers consistently is the best defense an organization can have against bad actors. It is always worth the costs and investments in these base layers. For organizations who have built a strong foundation layer, CISA released their Zero Trust Maturity Model whitepaper in early 2023, providing guidance to help organizations “prevent unauthorized access to data and services coupled with making the access control enforcement as granular as possible.”
The maturity model is broken up into five pillars: Identity, Devices, Networks, Applications/Workloads, and Data, and provides guidance to secure each pillar. As organizations mature in their cybersecurity processes, this Maturity Model provides guidance on improving access control, leading to an eventual zero trust design.
JR: This is another double-extortion campaign where the Dark Angel group is demanding a ransom and threatening to release data if their demands are not met. Is this a tactic you feel more RaaS groups will use going forward?
JM: For the past several years, cybercriminals and ransomware groups have used this double extortion tactic frequently. It exploits not just the immediate operational impacts of data loss, but also the long-term reputational damage associated with data breaches. The success of these tactics, as seen by repeated use by various groups, suggests that we expect to see their continued adoption.
As long as organizations continue to pay the ransom, cybercriminals will continue these attacks. Access and understanding for deploying ransomware are getting easier, facilitated by Ransomware-as-a-Service (RaaS) platforms that democratize the tools necessary for such attacks.
SM: This tactic first started appearing about four years ago with the emergence of Maze and Conti ransomware, among others. There are two factors which have moved to double extortion tactics.
First, if actors can leverage one attack to make additional money, they will. As highlighted in the Sony Pictures hack in 2014, the public exposure of private data can cause notable harm to an organization. This is especially true for organizations containing sensitive data, such as customer financial information or healthcare PII (personally identifiable information).
Second, as organizations have improved their system backup policies, it is easier for them to recover from a ransomware encryption event without paying. Indeed, some actors are moving directly to data extortion tactics and are not even bothering with encryption anymore. The value is in the data.
JR: Do you feel this hack is symbolic of potentially having too many connected assets? Are we creating vulnerabilities from being over-connected?
JM: While connectivity undoubtedly brings business benefits, including efficiency and data accessibility, it also broadens the attack surface that organizations must defend. Each connected device is a potential entry point for malicious actors.
Any user within an organization with an email address also has the proverbial electronic key to the front door. It's not only a matter of the systems exposed to the internet that the cybercriminals are constantly poking at to find weaknesses, but also targeting the user whom they can send a phishing email in the hopes that they click on the link and effectively open the front door to the organization, bypassing all the technology.
Organizations must balance the number of systems and users to the organization's risk appetite. Technology and procedural considerations can be taken while working with the CISO to prevent a cyberattack from being successful and reduce the risk of exposed credentials, data loss, or brand damage.
SM: We are in a connected world - that is not changing. Organizations across the world have seen tremendous value from working together across the Internet. As organizations grow in their cybersecurity maturity, they will want to review the ways in which they are connected and ensure all communications are tracked and audited.
For manufacturing organizations, there are large differences between their IT and OT networks. The control of an organization’s industrial equipment and systems is critical. Access to OT devices should be restricted to small groups of people within the organizations.
The highly specialized nature of OT means it typically requires custom software which may have unique security challenges. Securing OT may require security information and event management systems (SIEMs) to provide real-time analysis of applications and network activity, and next-generation firewalls (NGFWs), to heavily filter traffic coming into and out of the network.