CloudSEK’s latest threat intelligence report, Silicon Under Siege: The Cyber War Reshaping the Global Semiconductor Industry, uncovers a rapidly escalating cyber threat landscape targeting the semiconductor sector.
Powering everything from AI and defense systems to smartphones, clean energy, and healthcare, semiconductors have become both a strategic asset and a prime cyber target. The research reveals that nation-state-backed groups, ransomware operators, and hacktivists are waging a silent but highly coordinated cyber war focused on chip makers.
CloudSEK’s proof-of-concept showed how AI can be harnessed to design and embed hardware Trojans at the pre-design stage of a chip. Even a simple AI-generated implant can evade detection and, once manufactured, lie dormant for years until triggered – leaking sensitive data, falsifying outputs, or halting operations.
More advanced AI-driven designs could tailor Trojans to bypass specific security checks, adapt to different architectures, and remain invisible across multiple verification stages, making them potent tools for espionage or sabotage in the semiconductor supply chain.
Additional findings from the report include:
- Attack volume in this industry segment is up sixfold since 2022 — driven by espionage, supply-chain compromises, and state-sponsored campaigns.
- $1.05 billion in ransomware-related losses since 2018, which includes ransom payments, downtime and recovery costs.
- IT is the initial attack vector, with over 60 percent of industrial control system breaches beginning with IT (phishing, VPN exploits, CVEs, exposed interfaces and misconfigurations, default or leaked/compromised credentials, etc.) before pivoting to OT.
- Massive infrastructure exposure. The U.S. alone has approximately two million publicly reachable ICS assets linked to semiconductor operations – many potentially with weak or default controls.
- Massive Middle East ICS exposure — across the Middle East, publicly reachable ICS and OT assets tied to semiconductor-linked manufacturing and potentially critical oil, gas, and industrial operations remain exposed, with potential vulnerabilities stemming from weak authentication, misconfigurations and outdated protocols.
- High-value espionage incidents — in July 2025, China-backed APT41 infiltrated multiple Taiwanese semiconductor companies via a compromised software update, stealing proprietary chip designs and process data.
- Pre-silicon hardware Trojans — CloudSEK’s proof-of-concept AI-generated Trojan can remain dormant until triggered, leaking cryptographic keys while evading standard tests.
- Single vendor compromise cascading into global disruption — the 2023 MKS Instruments ransomware breach caused an estimated $250M in losses to Applied Materials in one quarter.
Geopolitics and the “Silicon Cold War”
The semiconductor race has become a strategic flashpoint in the global balance of power, with cyber espionage campaigns, supply chain intrusions, and state-backed sabotage now central to the contest:
- China is investing $150+ billion to achieve chip self-sufficiency and reduce reliance on Western tech.
- The U.S. has committed $52 billion via the CHIPS Act to reshore manufacturing and secure supply chains.
- India is investing $10 billion in its semiconductor mission, aiming for a $100 billion market by 2030.
State-sponsored Advanced Persistent Threats (APTs) such as APT41, Volt Typhoon, PlushDaemon, etc. are embedding themselves in software pipelines, EDA tools, and factory operations, shifting from mere data theft to long-term disruption strategies that can cripple production during geopolitical flashpoints.
Notable Campaigns and Case Studies
The semiconductor industry’s cyber risk is not new. Landmark events such as the 2010 Stuxnet sabotage of Iran’s Natanz facility, the 2018 TSMC WannaCry infection that halted iPhone chip production, and other high-profile attacks have long demonstrated the destructive potential of cyber threats to semiconductor-driven critical infrastructure.
Some real-world incidents highlighting such issues inclue:
- The Aliquippa Water Authority Breach (November 2023). Default HMI credentials exposed Unitronics PLCs.
- UNC5221 VPN Exploitation (2025). State-affiliated actors exploited CVE-2025-22457 in ICS VPN appliances to pivot into OT networks, spotlighting VPNs as critical OT entry points.
- Infostealer Malware Targeting Defense Contractors (February 2025). Commodity stealers harvested credentials that could be used to access corporate VPNs and OT management interfaces.
- Medusa Ransomware Campaigns (2021–2025). Active RaaS operations targeting legacy ICS/SCADA systems in manufacturing and supply chains, often combining encryption with IP extortion.
- Microchip Technology Breach (August 2024). IT system compromise disrupted multiple facilities, causing an estimated $21M in losses and halting connected OT functions.
“Semiconductors are the new oil — and the new high ground in geopolitical conflict. These attacks don’t just threaten a company’s bottom line; they can disrupt national economies, weaken defence readiness, and shift global technological leadership. In many cases, the compromise is invisible until it’s too late — literally etched in silicon,” offers Ibrahim Saify, Security Analyst at CloudSEK.
Some steps the semiconductor sector, as well as most in manufacturing, should take to improve their security posture include:
- Isolate IT and OT networks to prevent lateral movement between corporate IT and manufacturing systems.
- Secure-by-Design practices. Implement RTL integrity checks, formal logic verification, and traceable SBOMs for third-party IP.
- Continuous attack surface monitoring. Detect exposed assets, leaked credentials, and unpatched CVEs before attackers exploit them.
- Vendor Risk Management. Enforce stringent security requirements for all suppliers and third-party service providers.
- Global Threat Intelligence Sharing. Collaborate across borders to detect and neutralize state-sponsored campaigns before they escalate.
CloudSEK’s BeVigil and XVigil platforms deliver real-time visibility into exposed IT/OT assets on the Internet, map vulnerable vendor ecosystems, and track emerging threat actor infrastructure, enabling chipmakers and suppliers to act before vulnerabilities become permanent features of the global tech landscape.
The full report is available by clicking here.