Chipmaker Intel has confirmed that source code from its Alder Lake processor has been leaked on the 4Chan community as well as code repository GitHub. This is the latest in a spate of cyberattacks against semiconductor manufacturers this year. Analysts have warned that such attacks could have devastating consequences on the entire semiconductor supply chain.
A Twitter user named “Freak” posted links online to what they are claiming is the source code for Alder Lake’s UEFI firmware. This is code that launches before a machine’s operating system to ensure that the computer is running everything properly. It is fundamental to how systems operate.
Intel has confirmed the leak is genuine: “Our proprietary UEFI code appears to have been leaked by a third party”, the company said. “We do not believe this exposes any new security vulnerabilities as we do not rely on obfuscation of information as a security measure.”
The leak contains 5.97GB of source code, private keys, files and change logs. Despite Intel’s confidence that the leak will not pose any risks to those using its products, cybersecurity researchers are less convinced. “If that source code is public, anybody can now start to do their own hunting for vulnerabilities in that software, to exploit it in the future,” says Toby Lewis, global head of threat analysis at Darktrace.
Lewis says that now this data is available “there is the risk that something like SolarWinds could happen again”. This breach in 2020 saw IT management software company SolarWinds compromised, and led to supply chain attacks on many of its customers.
Those who have the code could do something similar to vulnerable Intel chips, Lewis says. Intel had 1.15 trillion semiconductor unit shipments worldwide in 2021, though Alder Lake only accounts for a small percentage of these.
Is the chip industry a target for cyberattacks?
Analysts say the high demand for semiconductors and value of the market is attracting the attention of cybercriminals. This year there have been eight separate cyberattacks on leading semiconductor companies, according to a report from security company Recorded Future.
There have been attacks on industry giants like Nvidia, AMD and Samsung, as well as other, less well-known companies including Ignitarium, Diodes, SilTerra Malaysia, Semikron and Etron Technology.
Stolen files from Taiwanese chipmaker ADATA appeared on the ransomware blog of cybercrime gang RansomHouse just last week, although the company has now denied that this data is from a recent hack.
The critical nature of chips to many industries means attacks have the potential to be lucrative for criminals, with manufacturers keen to avoid supply problems. “Delays or disruptions to the semiconductor industry in the current semiconductor chip shortage situation could have a negative impact across many industries across the globe,” explains Jason Steer, global CISO at Recorded Future.
Meanwhile, the intellectual property held by chip manufacturers can make them the target for state-backed hackers, the Recorded Future report says. The company’s researchers noted that while none of the cyberattacks on semiconductor companies have “direct connections” to nation-state groups, several affected businesses have found “state-sponsored threat actors masquerading as ransomware groups and using at least five ransomware variants — LockFile, AtomSilo, Rook, Night Sky, and Pandora — to conduct cyber espionage.”
How can chip manufacturers protect themselves?
Aside from basic cybersecurity Sam Curry, CSO at security company Cybereason, argues that all chipmakers should consider putting “bug bounty” programmes in place. Many Big Tech companies run these programmes to incentivise hackers to report vulnerabilities they find in exchange for a fee.
Such threat-hunting programs could “root out potential malicious activity long before it becomes a problem”, Curry says. Intel already runs one of these programmes, which it expanded earlier this year.
Failing to deploy such tactics is particularly dangerous on a global scale, warns Darktrace’s Lewis. Such vital information on chip production in the wrong hands could have dire geopolitical consequences: “The ability to effectively just turn off a state’s entire IT set-up at will becomes a really powerful tool as part of any sort of military intervention,” he says.