Loading

中共国黑客掠夺台湾半导体产业 【中英对照翻译】

新闻来源:Wired《有线媒体》;作者:安迪·格林伯格(Andy Greenberg);发布时间:08.06.2020 / 2020年8月6日

翻译/简评:理工男文峰;校对:Beicy-数学老师;审核:海阔天空 ;Page:拱卒

简评:

本文详细介绍了中共国黑客掠夺台湾半导体产业的具体技术以及相关证据,进一步做实了中共用黑客盗取他国核心技术的罪证。中共国的黑客部队在中共内部是具有战略地位的,因为中共的体制扼杀创新,因此中共几乎所有的技术都要通过偷盗获得。中共通过国家力量不仅从台湾偷盗技术,更是从世界其他各国如美国、加拿大等国偷取技术。中共用黑客部队偷取技术的目的在于建立自己的技术优势,用于对外军事威胁,对内监控自己国家的民众。网络脱钩虽然能够对中共的黑客偷取专利和技术有重大打击,但仍然不能从根本上清除这些行为,因为中共的黑客已经分布在众多国家。唯有灭共才能治本。

原文翻译:

Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry

中共国黑客掠夺台湾半导体产业

A campaign called Operation Skeleton Key has stolen source code, software development kits, chip designs, and more.

一个名为“万能钥匙操作”的活动已窃取了源代码、软件开发工具包、芯片设计等。

TAIWAN HAS FACED existential conflict with China for its entire existence and has been targeted by China's state-sponsored hackers for years. But an investigation by one Taiwanese security firm has revealed just how deeply a single group of Chinese hackers was able to penetrate an industry at the core of the Taiwanese economy, pillaging practically its entire semiconductor industry.

台湾一直面临与中共国存在的生存冲突,多年来一直是中共国国家资金支持的黑客的(袭击)目标。但一家台湾安全公司的调查表明,仅仅一组大陆黑客就能够如此深入地渗透台湾经济核心产业,几乎掠夺了整个半导体产业。

At the Black Hat security conference today, researchers from the Taiwanese cybersecurity firm CyCraft plan to present new details of a hacking campaign that compromised at least seven Taiwanese chip firms over the past two years. The series of deep intrusions—called Operation Skeleton Key due to the attackers' use of a "skeleton key injector" technique—appeared aimed at stealing as much intellectual property as possible, including source code, software development kits, and chip designs. And while CyCraft has previously given this group of hackers the name Chimera, the company's new findings include evidence that ties them to mainland China and loosely links them to the notorious Chinese state-sponsored hacker group Winnti, also sometimes known as Barium, or Axiom.

在今天的 "黑帽" 安全会议上,来自台湾网络安全公司CyCraft的研究人员计划介绍过去两年中至少7家台湾芯片公司遭到黑客攻击的新细节。这一系列深度入侵(之所以)称为"万能钥匙操作",是由于攻击者使用"万能钥匙注入"技术,(这些入侵)似乎旨在窃取尽可能多的知识产权,包括源代码、软件开发工具包和芯片设计。虽然CyCraft公司此前曾给这群黑客命名为Chimra,但该公司的新发现包括了黑客与中共国大陆联系的证据,以及与臭名昭著的中共国国家赞助的黑客集团温蒂(Winnti) 之间的松散联系。温蒂(Winnti)有时也被称为Barium或Axiom。

"This is very much a state-based attack trying to manipulate Taiwan's standing and power," says Chad Duffy, one of the CyCraft researchers who worked on the company's long-running investigation. The sort of wholesale theft of intellectual property CyCraft observed "fundamentally damages a corporation's entire ability to do business," adds Chung-Kuan Chen, another CyCraft researcher who will present the company's research at Black Hat today. "It's a strategic attack on the entire industry."

在CyCraft公司作长期调查的研究员之一查德·达菲(Chad Duffy)表示:“这很大程度上是基于国家(行为)的攻击,旨在操纵台湾的地位和力量。” CyCraft公司的另一位研究员陈忠宽(Cheng-Kuan Chen)补充说,CyCraft公司观察到的那种大规模批量盗窃知识产权行为,“从根本上损害了(台湾)公司的整体经营能力” , “这是对整个行业的战略攻击。” 他今天将介绍该公司的“黑帽”研究。

Skeleton Key

骨架密钥

The CyCraft researchers declined to tell WIRED the names of any victim companies. Some were CyCraft customers, while the firm analyzed other intrusions in cooperation with an investigative group known as the Forum of Incident Response and Security Teams. Several of the semiconductor company victims were headquartered at the Hsinchu Industrial Park, a technology hub in the Northwest Taiwanese city of Hsinchu.

CyCraft公司的研究人员拒绝告诉有限媒体(WIRED)任何受害公司的名字。有些(受害公司)是 CyCraft 公司的客户,而该公司则与一个称为"事件响应论坛和安全团队"的调查小组合作分析了其他入侵事件。几位半导体公司的受害者总部设在新竹工业园(Hsinchu Industrial Park),这是台湾西北部城市新竹(Hsinchu)的技术中心。

The researchers found that in at least some cases, the hackers appeared to gain initial access to victim networks by compromising virtual private networks, though it wasn't clear if they obtained credentials for that VPN access or if they directly exploited vulnerabilities in the VPN servers. The hackers then typically used a customized version of the penetration testing tool Cobalt Strike, disguising the malware they planted by giving it the same name as a Google Chrome update file. They also used a command-and-control server hosted on Google's or Microsoft's cloud services, making its communications harder to detect as anomalous.

研究人员发现,至少在某些情况下,黑客似乎通过破坏虚拟专用网络来获得对受害者网络的初始访问,尽管不清楚他们是否获得了 VPN 访问凭据,或者他们是否直接利用了 VPN 服务器中的漏洞。然后,黑客通常使用渗透测试工具 Cobalt Strike 的自定义版本,通过与 Google Chrome 更新文件同名来伪装他们种植的恶意软件。他们还使用托管在谷歌或微软云服务上的命令和控制服务器,使得其通信更难检测为异常。

From their initial access points, the hackers would attempt to move to other machines on the network by accessing databases of passwords protected with cryptographic hashing and attempting to crack them. Whenever possible, CyCraft's analyst say, the hackers used stolen credentials and legitimate features available to users to move through the network and gain further access, rather than infect machines with malware that might reveal their fingerprints.

从初始访问点,黑客会进入受加密哈希(cryptographic hashing)保护的密码数据库,并尝试破解它们,(从而)尝试移动到网络上的其他计算机。CyCraft公司 的分析师说,只要有可能,黑客就会利用窃取的凭据和用户可用的合法功能通过在网络中移动并获得进一步的访问权限,而不是用可能泄露其指纹的恶意软件感染计算机。

The most distinctive tactic that CyCraft found the hackers using repeatedly in victim networks, however, was a technique to manipulate domain controllers, the powerful servers that set the rules for access in large networks. With a custom-built program that combined code from the common hacking tools Dumpert and Mimikatz, the hackers would add a new, additional password for every user in the domain controller's memory—the same one for each user—a trick known as skeleton key injection. With that new password the hackers would have surreptitious access to machines across the company. "It's like a skeleton key that lets them go anywhere," Duffy says

然而,CyCraft公司 发现黑客在受害者网络中反复使用的最独特战术,是(使用)一种技术去操作域控制器----这种强大的服务器为访问大型网络设定规则。通过一个自定义程序,将来自常见黑客工具 Dumpert 和 Mimikatz 的代码组合在一起,黑客们将为域控制器内存中的每个用户添加新的附加密码,每个用户都使用相同的密码,这一技巧称为"万能钥匙注入"。有了这个新密码,黑客们就会偷偷地访问整个公司的机器。"这就像一把万能钥匙,让他们去任何地方,"达菲(Duffy)说。

China Ties

与中共国的纽带

CyCraft quietly published most of these findings about Operation Skeleton Key in April of this year. But in its Black Hat talk, it plans to add several new findings that help to tie the hacking campaign to mainland China.

今年4月,CyCraft公司悄悄地发表了大部分有关"万能钥匙行动"的研究结果。但在"黑帽"对话中,公司计划增加一些新发现,有助于将黑客活动与中共国大陆关联起来。

Perhaps the most remarkable of those new clues came from essentially hacking the hackers. CyCraft researchers observed the Chimera group exfiltrating data from a victim's network and were able to intercept a authentication token from their communications to a command-and-control server. Using that same token, CyCraft's analysts were able browse the contents of the cloud server, which included what they describe as a "cheat sheet" for the hackers, outlining their standard operating procedure for typical intrusions. That document was notably written in simplified Chinese characters, used in mainland China but not Taiwan.

在这些新线索中,最引人注目的或许来自本质上黑客的骇客。 CyCraft公司的研究人员观察到Chimera小组从受害者的网络中窃取了数据,并且能够从他们与命令和控制服务器的通信中截获身份验证令牌。 使用相同的令牌,CyCraft公司的分析师们能够浏览云服务器的内容,其中包括他们描述为黑客的“备忘单”,概述了典型入侵的标准操作程序。 特别是该文件用简体中文写的,用在中共国大陆,而不是台湾。

The hackers also appeared to operate largely within Beijing's time zone, to follow a "996" work schedule—the 9am to 9pm, six-days-a-week regimen common in the Chinese tech industry—and to take off Mainland Chinese holidays. Finally, CyCraft says they've learned from their cooperation with Taiwanese and foreign intelligence agencies that a hacker group using similar techniques also targeted Taiwanese government agencies.

黑客们似乎也主要在北京的时区内活动,按照"996"的工作日程——每天早9点到晚上9点,在中共国科技行业常见的每周6天工作,并在中共国大陆的假期休假。最后,CyCraft公司说,他们从与台湾和外国情报机构的合作中了解到,一个使用类似技术的黑客组织也瞄准了台湾政府机构。

Most specifically revealing, though, was the presence of one backdoor program on multiple victims' networks that CyCraft says was previously used by the Winnti group, a large collection of hackers who have operated for over a decade and who are widely believed to be based in mainland China. In recent years, Winnti has become known for carrying out a mix of what appears to be state-sponsored hacking aligned with China's interests and for-profit criminal hacking, often targeting videogame firms. In 2015, Symantec found that Winnti also appeared to be using skeleton key injection attacks like the kind CyCraft found used against the Taiwanese semiconductor companies. (CyCraft notes that it's still not certain that Chimera is in fact Winnti, but considers it a likely possibility.)

不过,最具体地发现是在多个受害者网络上存在一个后门程序。CyCraft公司说, Winnti 组织以前曾使用过这个程序,该组织是一大批黑客,他们从事了十年以上的工作,被广泛认为是以 中共国大陆 为基地的黑客。近年来,Winnti组织以实施国家支持的、符合中共国利益的黑客和营利性犯罪黑客(通常针对视频游戏公司)而广为人知。2015 年,赛门铁克公司(Symantec)发现 Winnti 似乎也使用了"万能钥匙"注入攻击,就像 CyCraft公司 发现针对台湾半导体公司那样。(CyCraft 公司指出, 它仍然不确定(是否)Chimera实际上就是Wintti组织, 但认为这是可能的。)

Kaspersky, which first spotted and named the Winnti group in an investigation published in 2013, last year linked the group to an attack that hijacked the update mechanism for computers sold by Taiwan-based Asus. Costin Raiu, the director of Kaspersky's Global Research & Analysis Team, says Winnti is responsible for other attacks on a broad range of Taiwanese companies beyond the semiconductor makers CyCraft has focused on, from telecoms to tech firms.

卡巴斯基公司(Kaspersky)在2013年公布的一项调查中首次发现这一黑客组织并命名Winnti。去年,该组织与一次攻击有关,该攻击劫持了台湾华硕(Asus)出售的电脑更新机制。卡巴斯基全球研究与分析团队主管Costin Raiu表示,除了CyCraft公司所关注的半导体制造商(被骇客)以外,Winnti组织应对针对其他台湾企业的一系列广泛的攻击负责,(这些企业)从电信到科技公司。

"It's possible that what they’re seeing is just a small fragment of a larger picture," Raiu says. Winnti isn't unique among China-linked groups in their widespread targeting of Taiwan, Raiu adds. But he says Winnti's innovative tactics, like the hijacking of Asus's software updates, set them apart.

Raiu说:“他们所看到的可能只是一幅大图的一小部分。” Raiu补充说,Winnti并不是唯一的与中共国有联系、对台湾广泛定位攻击的(黑客)组织。 但是他说Winnti的创新策略,例如劫持华硕(Asus)的软件更新,使它们与众不同。

Even amidst China's wholesale hacking of its island neighbor, though, CyCraft's Duffy argues that the semiconductor industry represents a particularly dangerous target. Stealing chip schematics, he points out, could potentially allow Chinese hackers to more easily dig up vulnerabilities hidden in computing hardware. "If you have a really deep understanding of these chips at a schematic level, you can run all sorts of simulated attacks on them and find vulnerabilities before they even get released," Duffy says. "By the time the devices hit the market, they're already compromised."

不过,即使在中共国大规模黑客入侵其相邻岛屿的情况下,CyCraft公司的达菲(Duffy)仍认为,半导体产业是一个特别危险的(面临攻击的)目标。 他指出,窃取芯片原理图可能会允许中共国黑客更容易地挖掘隐藏在计算硬件中的漏洞。 达菲(Duffy)说:“如果您在原理图水平上对这些芯片有深刻的了解,则可以对它们进行各种模拟攻击,并在漏洞发布之前找到漏洞。” “当这些设备投放市场时,它们已经受到损害。”

CyCraft concedes it can't determine what the hackers are doing with the stolen chip design documents and code. And the more likely motivation of the hacking campaign is simply to give China's own semiconductor makers a leg up over their rivals. "This is a way to cripple a part of Taiwan's economy, to hurt their long-term viability," Duffy says. "If you look at the scope of this attack, pretty much the entire industry, up and down the supply chain, it seems like it's about trying to shift the power relationship there. If all the intellectual property is in China's hands, they have a lot more power."

CyCraft公司承认,无法确定黑客对被盗的芯片设计文档和代码的处理方式。 黑客行动的更可能动机仅仅是让中共国自己的半导体制造商在竞争中脱颖而出。 达菲(Duffy)说:“这是削弱台湾经济的一部分,损害其长期生存能力的一种方式。” “如果您查看这次攻击的范围,几乎整个行业,包括供应链的上下游,似乎是要改变那里的权力关系。如果所有的知识产权都掌握在中共国手中,他们将拥有 更大的力量。”

编辑:【喜马拉雅战鹰团】Edited by:【Himalaya Hawk Squad】