LockBit breach victim Kulicke and Soffa revise impact in SEC filing

Kulicke and Soffa (K&S), a leading semiconductor solutions firm, admits to data stolen in a May 12th breach – since claimed by the LockBit ransomware group – in an amended 8K filing with the US Securities and Exchange Commission (SEC) this week.

The Singapore-headquartered company had disclosed information about the initial breach to financial regulators in a May 28th filing.

At the time, Kulicke and Soffa said it had no proof data had been exfiltrated during the breach.

The company’s latest amended SEC 8-K filing, dated June 12th, now tells a different story – partly due to samples posted on the LockBit ransomware gang’s dark leak site.

“Following further investigation, the Company has determined that the threat actor accessed and acquired some of our data, including source code, engineering information, business partner data and personally identifiable information,” Kulicke and Soffa stated in the supplemental filing.

Kulicke and Soffa June 8K filing
Kulicke and Soffa Industries file an amended 8K with the US Securities and Exchange Commission on June 12th, 2024. Image by Cybernews.

The LockBit heist

LockBit claimed to have been in K&S servers for months, claiming to have exfiltrated a whopping “20 terabytes of sensitive information and data (over 12 million files) from over 2000 different devices.”

The dark blog also now provides 13 samples of what appears to be the K&S corporate data allegedly stolen from the company’s servers during LockBit’s “pentest.”

In a June 3rd update, LockBit said they decided to share screenshots of the lifted data to “dispel this obvious lie” K&S told in its original SEC filing.

“These screenshots show less than 1% of the data we managed to retrieve. On them, you can clearly see the source codes and data related to lithography and financial documents,” LockBit went on.

“If things don't improve in the next few days, we'll have to make the first 100GB of data publicly available. We are also open to considering a private sale of this data to an interested client,” the gang threatened.

LockBit K&S sample 1
LockBit leak site. Image by Cybernews.

Kulicke and Soffa is a multi-million dollar next-gen semiconductor packaging and electronics assembly solutions firm, according to its website.

Global customers include those belonging to the automotive, advanced display, data and energy storage, consumer, communications, computing and industrial sectors.

The LockBit site lists the types of sensitive information it purportedly has in its possession including:

  • Source codes from git, svn and nexus; jira, bamboo, confluence;
  • Data related to lasers, microscopes, lithography, analyzers, 2D/3D files.
  • Mail backups, databases, archives, documents, user shares, personal files, chats.
  • Files related to clients and partners (for example, partnership with i3). Files related to key KNext products, Liteq 500.
  • Finance and accounting.

“We can assure that we have successfully collected absolutely everything, including internal correspondence, as well as correspondence (chats, emails) with customers,” LockBit states.

LockBit K&S sample 2
LockBit leak site. Image by Cybernews.

The data was said to be collected from servers and machines associated with K&S engineers, R&D and production departments.

The company had stated in its original filing that “on May 12th, 2024, it detected unauthorized access attempts into its network and servers.”

According to both filings, cybersecurity teams had immediately took actions to contain and isolate the affected servers to prevent further intrusion and that the attack had limited impact on business operations.

Founded by two American engineers in 1951, Kulicke and Soffa recorded a net revenue of $742.5 million in 2023, according to its year-end shareholder reports.

Besides Singapore, the company has over 18 office locations, including the US, Germany, China, Israel, and Japan.

LockBit continues to dominate

The LockBit cybercriminal cartel continues to dominate the ransomware industry, evading the FBI, and collecting tens of millions of dollars in ransom payments from its thousands of victims.

First appearing sometime in late 2019, the threat actors are said to have executed over 1,400 attacks in the US and around the world, including Asia, Europe, and Africa.

LockBitSupp $10 million
Image by US law enforcement/Reuters

The gang’s notorious ransomware variant LockBit 3.0 – also known as LockBit Black – is now in its third iteration and is considered the most evasive version of all previous strains, a US Department of Justice report said.

Just last week, the FBI revealed it had recovered 7,000 decryption keys, expected to help victims recover their stolen data.

The gang has proven slippery at best, evading international law enforcement efforts, led by the FBI and Europol, to dismantle LockBit’s operations.

Even after the seizure of the group’s infrastructure, dark website, and the release of the ringleader’s name and picture, LockBit was business as usual, creating a new leak site and targeting multiple US hospitals within days.

According to the Cybernews Ransomlooker, a ransomware monitoring tool, LockBit accounted for 47% of all publicly announced ransomware victims over the last 12 months.

LockBit operates using a ransomware-as-a-service (RaaS) business model and is responsible for major company attacks such as The Boeing Company, Allen & Overy, and was responsible for the mass 2023 exploit of the Citrix bug zero-day vulnerability.