Semiconductor Industry Attack Surface Analysis

Recently, Expanse scanned the attack surface of various semiconductor organizations and analyzed traffic flows on networks of the world’s ten largest semiconductor organizations. Previously, our research covered internet risks associated with the world’s largest Financial Services and Healthcare organizations.   

The semiconductor industry is a strategic and critical industry because its products are used in computing throughout top enterprises and government agencies. Enterprises that manufacture semiconductors are prime targets for state-sponsored attacks — a fact highlighted by a recent large-scale attack, allegedly by Chinese nation-state actors, against Taiwan’s semiconductor industry in August.

For this study, Expanse monitored for Internet traffic anomalies associated with ten of the largest global semiconductor organizations by revenue over the course of a two-week period in August. Each organization studied generates more than $14 billion in annual revenue and has over 15,000 employees. Six of the organizations are U.S.-based and in the Fortune 500, while the remaining four are large Asian-headquartered enterprises listed on international stock exchanges. Expanse removed scanner traffic from our analysis, which means we’ve looked only at targeted communications. 

Here are our findings:

Frequent Communications With Exposed RDP and Telnet 

Expanse discovered frequent communications with risky Internet exposures. Most notably, at least five organizations had communications with RDP and Telnet servers respectively. 

For RDP, Expanse discovered 25 exposed RDP servers associated with five organizations total. RDP servers are a common target for attackers because they allow access to a device via a graphical user interface from a remote location. Some of the most notorious ransomware attacks like Wannacry and SamSam have targeted exposed RDP servers. It is best practice to never have RDP accessible over the public Internet. 

Expanse also observed 109 exposed Telnet servers across half of the organizations over the period of interest. Like RDP, Telnet also allows remote access to a Internet-connected device, only without the graphical user interface. Telnet is an extremely old protocol that has generally been replaced by SSH.

Connections to OFAC-Prohibited Geographies

Eight of the 10 organizations examined made Internet connections to countries prohibited by the U.S. Office of Foreign Assets (OFAC). While the OFAC sanctions only apply to U.S. financial services organizations, and thus don’t pertain to international or U.S.-based semiconductor organizations, they are still a useful framework for examining communications to geographies that are unlikely to be legitimate. 

Eight out of the 10 companies examined made connections to OFAC-countries, and 75% of all such connections were to Iran or Iraq. For one organization, Expanse observed a potential breach in progress with risky flows associated with an SMB server to Mozambique.

Connections to Tor and cryptocurrency mining pools

Six of the 10 organizations – three US-based, three based in Asia – had regular outbound communications over the Tor anonymization service, as well as communications with cryptocurrency mining pools, indicating that computing resources on their enterprise networks were being used to mine cryptocurrency.  For both kinds of communications, Expanse observed traffic on multiple IP blocks in core corporate ranges, indicating that these communications were associated with assets connected to core enterprise networks, rather than guest networks.  Expanse observed one US-headquartered organization to have over 50 distinct systems on over 30 distinct network segments communicating with mining pools, indicating a potential gap in IT controls across large swaths of enterprise IT assets.

The Bottom Line

Risky network flows and problematic exposures are common for major organizations in the semiconductor industry. Organizations in this sector supply critical IT infrastructure to commercial organizations and throughout the Defense Industrial Base, and should place a priority on managing and reducing their global Internet attack surface. The need for visibility into semiconductor organizations’ communications has never been more urgent.