Nvidia Cyber Attack
On February 23rd 2022, Nvidia – the maker of gaming chips – confirmed that they had been the victim of a cyber attack and a subsequent data leak.
The attack was carried out by malicious actors who exploited a vulnerability in one of Nvidia’s web domains. This allowed intruders to gain access to credentials of Nvidia employees (numbered over 70,000 people) and password hashes of their Windows accounts.
The responsibility for the hack was claimed by Lapsus$, an anonymous hacking collective believed to be based out of South America.
What were the Nvidia hacker’s demands?
The employee details were initially used as ransom with Lapsus$ making various demands:
- First they demand money as a ransom, the amount demanded was undisclosed
- They also demanded the removal of the light hash rate (LHR) which fundamentally limits the crypto mining performance of one of Nvidia’s graphics cards (the popular RTX 30-series)
- Further demands were made for Nvidia to release the source code of it’s GPU drivers under an open license
Lapsus confirmed these details in a message on encrypted Russian messaging platform Telegram:
“We decided to help mining and gaming community, we want Nvidia to push an update for all 30 series firmware that remove every LHR limitation otherwise we will leak hw (hardware) folder. If they remove the LHR we will forget about hw folder… We both know LHR impact mining and gaming.”
While it is unclear whether Nvidia complied with any of these demands, they most likely were not. We have not seen changes to the LHR or an open source release of the Nvidia GPU drivers.
Eventually the hacked data was leaked on forums and subsequently cracked.
Nvidia suffered a significant breach and publication of it’s data.
How did Nvidia react to the data leak?
Nvidia’s immediate response was swift and structured, following the processes of many large technology companies that have a cyber incident response process in place. Nvidia did the following:
- Issue a public statement confirming the attack and the data breach
- Request users to reset passwords, as a precautionary measure
- Engage the services of a cybersecurity firm to investigate and secure their systems
- Update their security protocols to prevent similar incidents in the future
- Provide a call center to assist customers with any questions or concerns they may have
- Monitor the data leak to ensure that no sensitive information is released
The company acknowledged the breach in a curt statement. They reinforced that they “do not anticipate any disruption to our business or our ability to serve our customers as a result of the incident” and admitted that hackers had exploited “Nvidia proprietary information and began leaking it online.”
The proprietry information was believed to be source code information and products that were not yet released or announced by the company.
Further impact for Nvidia
Some sources also claim that Nvidia’s internal systems were also impacted by the attack.
These had to be taken offline while others experienced a “slowdown” as they had to be rebooted and cleaned of any malicious files and code.
This resulted in potential delays to Nvidia’s products, as well as a decrease in employee productivity and time wastage.
Nvidia ransomware attack not in isolation
Ransomware attacks are becoming a common occurence. In 2022, data suggests ransomware attacks have increased 105% in the US when compared with 2021. Clearly companies need to prepare themselves for cyber threats and attacks.
This means being proactive in tackling this growing threat by implementing appropriate security measures to prevent such incidents from occurring.
Firms should also be aware of their cyber risks and the potential costs associated with such an attack. Rigorous cyber security policies, regular data backups and appropriate measures for data encryption should be employed by companies in order to protect their assets.
As the Nvidia cyber attack shows, the consequences of these attacks can be severe and costly. The hack was a reminder to other technology companies of the importance of taking cyber security seriously and having a robust system in place to protect their data and systems.
Clearly no company is too big to be a target.
Other posts and articles you may be interested in.