A key chip supplier for iPhones, Taiwan Semiconductor Manufacturing Co., said the virulent WannaCry ransomware worm infected its production lines over the weekend. The incident shows how the malicious malware continues to leave a wake of $100 million-plus losses 15 months after it first took flight.
“This virus outbreak occurred due to misoperation during the software installation process for a new tool, which caused a virus to spread once the tool was connected to the company’s computer network,” TSMC officials wrote in a statement published Sunday.
TSMC said it had 80 percent of affected chip fabrication systems back online on Sunday and expected to restore the remainder by Monday. The shutdown comes at a critical time for Apple, which accounts for 21 percent of TSMC’s revenue, according to Bloomberg News. Apple is reportedly planning to release three new iPhone models by year’s end. It’s not yet clear if the shutdown might affect the chip output Apple relies on for the new devices. Shares of Apple stock were trading up about 0.4 percent on Monday as this post was being prepared.
With help from a stolen NSA exploit
WannaCry was significant because it temporarily halted critical operations at hospitals, shipping companies, telecommunications services, train stations, and other mission-critical organizations. Another important trait: it repurposed an advanced exploit developed by and later stolen from the US National Security Agency that allowed the ransomware to spread virally on Windows computers that had yet to install a critical patch Microsoft had released two months earlier. The attack, code-named Eternalblue, worked reliably against computers running Microsoft Windows XP through Windows Server 2012 by exploiting a vulnerability that allowed complete take-over with no interaction from an end user. EternalBlue was leaked in April 2017 by a mysterious group calling itself Shadow Brokers.
The highly debilitating effects of WannaCry were eventually contained by a so-called kill switch that security researcher Marcus Hutchins, aka MalwareTech, activated when he registered a domain name less than a day after the worm was unleashed. He found the unregistered domain embedded in some of the code. It was only after he registered the domain that he discovered it acted as a switch the attackers could use to terminate the campaign. The domain has continued to prevent computers that get exposed to the WannaCry malware from installing a payload that encrypts hard drives and displays a screen demanding a ransom in exchange for a decryption key.
Why WannaCry was able to spread so rapidly through the TSMC network is unclear. One possibility is that the worm was modified to remove the kill switch. Another possibility is a firewall or other software or hardware on the TSMC network prevented computers from accessing the domain that instructs partially infected computers to terminate the later and most destructive stages of the infection. Either way, this latest outbreak underscores the destruction WannaCry continues to inflict on critical operations worldwide.