TSMC announced this week that it suffered a computer malware outbreak, resulting in a roughly 3 day outage for parts of the fab while systems were restored. As a consequence of the downtime, the fab expects certain shipments delays and additional charges. Specifically, because of the interruptions and costs, the company’s Q3 revenue and gross margin will be 2% and 1% lower than anticipated respectively. TSMC later clarified that the outbreak was caused by “misoperation” during the software installation for a new piece of equipment.

What Happened?

TSMC’s personnel set up a new manufacturing tool on Friday, August 3, and then installed software for the device. The machine was not isolated and confirmed to be malware-free before connecting it to TSMC’s internal network. Consequently, the introduction of a malware-infected machine to TSMC's internal production network allowed the malware to quickly spread and infect computers, production equipment, and automated materials handling systems across TSMC’s fabs.

According to the chipmaker, the malware was a variant of the WannaCry ransomware cryptoworm. WannaCry, though over a year old at this point, still has the ability to propogate among any remaining unpatched systems, which is what happened here: the malware infected Windows 7-based machines “without patched software for their tool automation interface.” As a consequence, the affected equipment either crashed, or rebooted continuously, essentially being inoperable.

TSMC has been stressing that not all of its tools and automated materials handling systems were affected, and that degree of infection varied by fab. The company had to shut down infected equipment and apply patches. By 2 PM Taiwan time on Monday, 80% of the impacted tools had been recovered and TSMC said that it would mend all of them by Tuesday.

The Impact

Since the said tools are located across multiple fabs and are therefore are used to process wafers using a variety of process technologies for different customers, it is evident that the outbreak affected delivery schedules for many chips. As a consequence, the company had to notify its customers and reschedule their wafer delivery dates. Some of the delayed wafers will be delivered not on Q3, but in Q4, thus affecting product launch plans.

None of TSMC's well-known customers are currently commenting on the matter, but this event has occured with what's widely believed to be the ramp-up periods for new chips from Apple and NVIDIA. Since at least some of TSMC’s production tools were offline for four to five days, it is evident there will be impact, though it is hard to estimate how significant it will be.

What remains to be seen is how several-day outage of numerous semiconductor production tools is set to affect TSMC’s customers in general. After all, 2% of TSMC’s Q3 revenue is between $169 and $171 million and that is a lot of money. We will likely learn more about the effect of the malware outbreak in the coming months.

(ed: As an aside, I find it very interesting that this entire episode was essentially happenstance, rather than some kind of targeted attack as would typically be the case. WannaCry is over a year old and is self-propagating; so as a proper worm, it goes wherever it can, whenever it can. In fact with the release of patches over a year ago, WannaCry's primary function is done. So for TSMC this is the IT equivalent of stepping on a landmine from a long-forgotten war, and reinforcing the fact that advanced malware can be dangerous to the public long after it has done its job. -Ryan)

Related Reading:


Comments Locked


View All Comments

  • edzieba - Friday, August 10, 2018 - link

    " and introduce an elaborate procedure for vetting new systems to make sure they don't introduce any unknowns.

    I think it's a real stretch to assume that they're just winging it on this."

    Given an infected system was connected to an internal network full of unpatched systems, the evidence of 'winging it' is pretty public. "But we need to keep our setups static" does not mean just throwing up your hands in resignation, it means security efforts need to be redoubled to compensate. Enhanced scans of new devices, popping it onto a honeypot network to see what crawls out, packet vetting for the internal network, etc.
  • dshess - Saturday, August 11, 2018 - link

    """Given an infected system was connected to an internal network full of unpatched systems, the evidence of 'winging it' is pretty public."""

    We have evidence that they were compromised, but we have no evidence of how much effort they put into not being compromised. They might have a super-elaborate system to protect against this kind of problem, and someone might have put the wrong stick label on a piece of kit. Having a process which could be improved is distinct from making up your process as you go.
  • baka_toroi - Thursday, August 9, 2018 - link

  • FunBunny2 - Thursday, August 9, 2018 - link

    well, it largely does where it really counts: most RDBMS (modulo SQL Server, of course) run anywhere run on linux/*nix. there are lots of other places it can, too. the caveat is that, to the extent we're in a X86 monoculture, clever assembler bad guy coders can get around that problem.
  • GreenReaper - Friday, August 10, 2018 - link

    <a href="https://www.microsoft.com/en-gb/sql-server/sql-ser... guess you haven't heard the news</a>.
  • GreenReaper - Friday, August 10, 2018 - link

    Let's try that again! "I guess you haven't heard the news:"
  • FunBunny2 - Friday, August 10, 2018 - link

    sure I have. but linux SS isn't "real" SS. yet. may never be. only been around for a very little while.
  • bji - Thursday, August 9, 2018 - link

    What exactly does it mean for malware to have "done its job"?

    Malware's job is to infect and usually to monetize based on that infection. That job is never done from the malware's perspective.
  • mapesdhs - Friday, August 10, 2018 - link

    I inferred he meant from the perspective of the idiots who released it in the first place. Malware doesn't have a perspective, it doesn't have agency. Thank grud not yet anyway.
  • Ryan Smith - Friday, August 10, 2018 - link


    WannaCry's utility as a viable, semi-controlled weapon is over. The underlying exploits have been patched long ago, virus scanners know it's signature, and tools created to reverse its encryption. Furthermore the random addresses are monitored, and it's well-known that paying said ransom won't get your data back.

    So all it can do is lurk in the depths of unfixed machines, infecting anyone unlucky enough to stumble upon it. It no longer serves a purpose; just blind destruction.

Log in

Don't have an account? Sign up now