NXP Faces Prolonged Breach by Chimera Group

On November 24, 2023, members of the Dutch press were told of a significant cybersecurity incident involving NXP, a Dutch microchip designer and manufacturer.

Reports say that the company fell victim to Chinese hackers belonging to the Chimera‘ group, who gained unauthorized access to sensitive data, maintaining their presence within NXP‘s systems for nearly three years.

Remarkably, NXP remained unaware of the breach until Transavia, a subsidiary of KLM Airlines, discovered Chimera‘s activities during one of its own investigations. Forensic analysis during their investigation showed that Chimera had infiltrated NXP’s systems as well, with access dating back to the end of 2017 and extending into the spring of 2020.

The attackers specifically targeted chip designs and sensitive corporate data, exfiltrating email archives and confidential information. Their entry points included employee accounts compromised through credentials obtained from darkweb leaks, coupled with the use of brute force tools and publicly accessible data.

Notably, this breach didn’t only impact NXP; at least seven Taiwanese chip companies and Transavia also found themselves embroiled in the aftermath. Alarmingly, despite NXP‘s security enhancements, the company experienced another data breach in 2023.

The Chimera Group, previously believed to be active only since 2018, presents as a China-based threat actor primarily targeting the semiconductor sector. However, this incident reveals their expansion into the airline industry, hinting at potentially as-of-yet-undisclosed campaigns.

Findings indicate that Chimera orchestrated their attacks using account data from prior breaches and scraping publicly accessible information from platforms like Facebook and LinkedIn. Further, allegedly unrelated breaches occurred at NXP in July 2023, resulting in the theft of additional data, including customer names, email addresses, phone numbers, and other personal details. The specifics of the compromised data remain undisclosed, with no identified threat actor.