Beeld: NXP
Author profile picture

A Chinese hacker group has had undetected access to the network of NXP, one of the largest Dutch chip manufacturers, for over two years, an investigation by NRC reveals. The cyber attack remained under the radar for a long time and resulted in intellectual property theft. Despite NXP’s reputation for security, the systems were not discovered to have been compromised until early 2020. In addition to NXP, seven Taiwanese chip companies and KLM subsidiary Transavia were also affected.

  • A Chinese hacker group called “Chimera” had undetected access to NXP’s network for more than two years;
  • The hackers used sophisticated methods, including exploiting stolen account information from previous data breaches;
  • In addition to NXP, seven Taiwanese chip companies and Transavia were also affected.

The impact of the break-in by the hacker group, affiliated with China, on Dutch chip manufacturer NXP reaches further than first assumed. The cyber group ‘Chimera’ managed to circumvent security measures using sophisticated methods and exploiting accounts of unsuspecting employees. All this was discovered only after a tip-off following a hack at Transavia, a subsidiary of KLM.

The attack shows how even the most advanced technology companies are vulnerable to cyber espionage, Marc Hijink writes in his article. NXP, a leading supplier of chips for the automotive industry, has had to admit to being a victim of these targeted espionage attacks. The perpetrators were primarily interested in stealing chip designs and mailboxes containing large amounts of sensitive information. This intellectual property is of great value to competitors and states seeking to influence or dominate the technology industry.

Advanced techniques of the hackers

The hackers used stolen account information from previous data breaches at services such as LinkedIn or Facebook. With this information, they were able to impersonate ordinary employees and gain access to NXP’s network. They then proceeded to methodically steal, compress, and encrypt large amounts of data. This data was prepared to be copied via cloud services like Google Drive, Microsoft OneDrive, and Dropbox.

The way the hackers proceeded indicates a large-scale and well-coordinated attack. It is a tactic befitting an advanced persistent threat (APT) group that would serve the interests of the Chinese state. This is supported by findings from the Dutch intelligence agency AIVD, which links the cyberspies to China.

NXP’s response

Although NXP stated in their 2020 and 2021 annual reports that the hack did not result in “material” damage, intellectual property theft cannot be understated. The event prompted NXP to take cyber espionage risks even more seriously. The company reported falling victim to another data breach in September 2023. This leak was discovered and closed within three days, showing NXP had strengthened its security protocols following the attack by Chimera.

International implications

Taiwan, a major player in the global chip market, was also affected. At least seven Taiwanese chip companies were victims of the same hacker group. This highlights that the threat of cyber espionage is not limited to Dutch borders. It shows a pattern of targeted attacks on high-tech industries and critical infrastructure worldwide.

The NXP incident and subsequent revelations have drawn attention to the need for companies to strengthen their cyber security. With the increasing complexity of digital infrastructure and the value of data, protecting against cyber espionage is becoming increasingly crucial to maintaining competitive advantage and national security.

The role of government

In light of these events, the question is how governments and the private sector can work together to prevent such attacks in the future. The AIVD plays a vital role in identifying threats and advising companies of potential vulnerabilities. This collaboration is essential to create an environment where threat information can be shared quickly, and companies can respond appropriately to incidents. Sharing best practices and raising awareness about cyber risks are steps that must be taken to ensure the digital security of companies and society as a whole.