Operation Skeleton Key: 'Chimera' Hacker Group Targets Taiwanese Semiconductor Manufacturers

It has been discovered that a hacker group dubbed Chimera has been targeting numerous semiconductor vendors in Taiwan using a skeleton key injector technique to steal intellectual property.


Stealing the semiconductor secrets

Skeleton APT, operational since 2018, recently targeted at least seven semiconductor manufacturers located at the Hsinchu Science Industrial Park in Taiwan in a well-coordinated attack.
  • In this campaign, hackers were reportedly after organizations’ intellectual property and confidential semiconductor designs.
  • For initial access, Chimera group uses stolen credentials to access corporate IDs and VPN networks. It subsequently exploits a remote desktop protocol to gain access to the company’s servers.
  • The APT also used a custom data compression tool ChimeRAR to archive the harvested data and send it to the Command-and-Control (C2) server.


Modus operandi

While using a plethora of custom-built malicious tools, the group also used several additional tactics during its espionage campaigns.
  • In attacks, the attackers used ‘Skeleton Key Injector,’ a custom tool that targets Active Directory (AD) and Domain Controller (DC) servers, allowing lateral movement across the network.
  • In addition, researchers also detected the use of a customized form of the Cobalt Strike tool, masquerading as a Google Update function (GoogleUpdate.exe), which implements backdoor beacons and performs persistence-related activities.
  • To hide its activities, the group used multiple C2 domains hosted on public cloud platforms such as Google Cloud and Microsoft Azure, as well as other public cloud services.
  • The APT used code snippets from Mimikatz and Dumpert to bypass API monitoring and antivirus and endpoint protection solutions.


Recent skeleton key incidents

  • In mid-June 2020, researchers were able to create a Proof-of-Concept (PoC) which would allow them to control and manipulate Azure authentication functions to hand over a ‘skeleton key’ password and to dump all the clear-text credentials.
  • In April 2020, it was found that the skeleton key can be used as a way to exploit an Azure synced environment, unlocking the entire environment for cyber-criminals.


Bottom line

Skeleton key attacks could allow attackers to log into a targeted system without the need for valid credentials. The threat actors could remain hidden for a long time since their targeted machines (AD and DC Servers) are not rebooted frequently. To avoid such incidents, users of Azure or other cloud environments must use multi-factor authentication.