{
	"id": "810db20c-622b-4709-b4eb-a6e55d26711d",
	"created_at": "2026-04-06T00:18:07.971532Z",
	"updated_at": "2026-04-10T13:12:10.247148Z",
	"deleted_at": null,
	"sha1_hash": "215d7bfcbe70c632bd58b2c38a58e973b1c6d0e5",
	"title": "Hackers spent 2+ years looting secrets of chipmaker NXP before being detected",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34445,
	"plain_text": "Hackers spent 2+ years looting secrets of chipmaker NXP before\r\nbeing detected\r\nBy Dan Goodin\r\nPublished: 2023-11-28 · Archived: 2026-04-05 18:33:07 UTC\r\n“NXP chips are in a lot of products,” Jake Williams, a former hacker for the National Security Agency, wrote on\r\nMastodon. “It’s likely the TA knows of specific flaws reported to NXP that can be leveraged to exploit devices the\r\nchips are embedded in, and that’s assuming they didn’t implement backdoors themselves. Over 2.5 years (at least),\r\nthat’s not unrealistic.”\r\nA separate researcher who has published research in the past documenting a successful hack on a widely used\r\nproduct containing NXP chips voiced similar surprise.\r\n“If a Chinese threat actor group gets source code or hardware designs of a chip manufacturer, these kinds of\r\ngroups can use the source code even if the source code isn’t very well commented and documented,” the\r\nresearcher, who asked not to be identified, said in an interview. “For me, [the intrusion] is a big deal. I was\r\nsurprised NXP didn’t communicate with its customers.”\r\nIn an email, an NXP representative said the NRC report “is very dated as it was addressed back in 2019. As stated\r\nin our 2019 Annual Report, we became aware of a compromise of certain IT systems, and after a thorough\r\ninvestigation we determined that this incident did not result in a material adverse effect on our business. At NXP,\r\nwe take the security of data very seriously. We learned from this experience and prioritize continually\r\nstrengthening our IT systems to protect against ever-evolving cybersecurity threats.”\r\nChimera has extensive experience stealing data from a wide range of companies. The threat actor uses a variety of\r\nmeans to compromise its victims. In the campaign that hit NXP, hackers often leveraged account information\r\nrevealed in previous data breaches of sites such as LinkedIn or Facebook. The data allowed Chimera to guess the\r\npasswords that employees used to access VPN accounts. Team members were able to bypass multi-factor\r\nauthentication by changing telephone numbers associated with the accounts.\r\nSecurity firm Cycraft documented one two-year hacking spree that targeted semiconductor makers with operations\r\nin Taiwan, where NXP happens to have research and development facilities. An attack on one of the unnamed\r\nvictims compromised 10 endpoints and another compromised 24 endpoints.\r\n“The main objective of these attacks appeared to be stealing intelligence, specifically documents about IC chips,\r\nsoftware development kits (SDKs), IC designs, source code, etc.,” Cycraft researchers wrote. “If such documents\r\nare successfully stolen, the impact can be devastating.”\r\nSource: https://arstechnica.com/security/2023/11/hackers-spent-2-years-looting-secrets-of-chipmaker-nxp-before-being-detected/\r\nhttps://arstechnica.com/security/2023/11/hackers-spent-2-years-looting-secrets-of-chipmaker-nxp-before-being-detected/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://arstechnica.com/security/2023/11/hackers-spent-2-years-looting-secrets-of-chipmaker-nxp-before-being-detected/"
	],
	"report_names": [
		"hackers-spent-2-years-looting-secrets-of-chipmaker-nxp-before-being-detected"
	],
	"threat_actors": [
		{
			"id": "f88b16bc-df4b-48e7-ae35-f4117240ff24",
			"created_at": "2022-10-25T15:50:23.556699Z",
			"updated_at": "2026-04-10T02:00:05.312313Z",
			"deleted_at": null,
			"main_name": "Chimera",
			"aliases": [
				"Chimera"
			],
			"source_name": "MITRE:Chimera",
			"tools": [
				"PsExec",
				"esentutl",
				"Mimikatz",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3da47784-d268-47eb-9a0d-ce25fdc605c0",
			"created_at": "2025-08-07T02:03:24.692797Z",
			"updated_at": "2026-04-10T02:00:03.72967Z",
			"deleted_at": null,
			"main_name": "BRONZE VAPOR",
			"aliases": [
				"Chimera ",
				"DEV-0039 ",
				"Thorium ",
				"Tumbleweed Typhoon "
			],
			"source_name": "Secureworks:BRONZE VAPOR",
			"tools": [
				"Acehash",
				"CloudDrop",
				"Cobalt Strike",
				"Mimikatz",
				"STOCKPIPE",
				"Sharphound",
				"Watercycle"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef",
			"created_at": "2022-10-25T16:07:23.455744Z",
			"updated_at": "2026-04-10T02:00:04.61281Z",
			"deleted_at": null,
			"main_name": "Chimera",
			"aliases": [
				"Bronze Vapor",
				"G0114",
				"Nuclear Taurus",
				"Operation Skeleton Key",
				"Red Charon",
				"THORIUM",
				"Tumbleweed Typhoon"
			],
			"source_name": "ETDA:Chimera",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"SkeletonKeyInjector",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434687,
	"ts_updated_at": 1775826730,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/215d7bfcbe70c632bd58b2c38a58e973b1c6d0e5.pdf",
		"text": "https://archive.orkl.eu/215d7bfcbe70c632bd58b2c38a58e973b1c6d0e5.txt",
		"img": "https://archive.orkl.eu/215d7bfcbe70c632bd58b2c38a58e973b1c6d0e5.jpg"
	}
}