TSMC WannaCry production-line shutdown
A WannaCry ransomware variant spread through unpatched Windows 7 fabrication tools at TSMC, the world's largest contract chipmaker, halting production at plants in Hsinchu, Taichung, and Tainan and causing an estimated $170 million in losses.
- Victim
- Taiwan Semiconductor Manufacturing Company (TSMC)
- Loss
- $170.0M
On 3 August 2018, the Taiwan Semiconductor Manufacturing Company (TSMC) โ the world's largest contract chip manufacturer and a critical supplier to Apple, AMD, and Nvidia โ suffered an unprecedented disruption when a WannaCry ransomware variant swept through its production network, halting fabrication lines for two days and costing an estimated $170 million.
What happened
The infection began not with a targeted intrusion but with a supply-chain hygiene failure. A supplier connected a new fabrication tool to TSMC's network without scanning it first. The machine carried a variant of WannaCry, the worm that had caused global havoc in May 2017.
WannaCry propagates using EternalBlue (CVE-2017-0144), an exploit of a flaw in Microsoft's SMBv1 protocol leaked from the NSA. Although Microsoft had patched the vulnerability more than a year earlier, TSMC's fabs ran thousands of unpatched Windows 7 machines hosting the tool-automation interface that controls manufacturing equipment. The worm spread rapidly across these systems, causing them to crash and reboot in an endless loop rather than encrypting files for ransom.
Within hours, more than 10,000 machines were affected, forcing TSMC to shut down plants in Hsinchu, Taichung, and Tainan โ some of which were producing system-on-chip components for upcoming Apple iPhones.
Impact
- Production halted for roughly two days across multiple fabs.
- TSMC estimated the incident would shave about 3% off third-quarter revenue, with total losses around $170 million (about NT$5.2 billion).
- By 5 August, around 80% of affected tools were restored; full recovery followed shortly after.
- No customer data was stolen and no ransom was paid โ the damage was purely operational.
Why it matters
TSMC was a wake-up call for operational-technology (OT) security in manufacturing. The episode showed how a single unscanned tool and a population of legacy, unpatched Windows machines could idle one of the most advanced factories on earth. Industrial environments often run obsolete operating systems because requalifying production equipment is slow and expensive โ but TSMC proved that this technical debt carries a nine-figure price tag.
The incident accelerated adoption of stricter equipment on-boarding, network segmentation, and patch governance across the semiconductor industry, and stands as the canonical example of a commodity worm causing strategic damage to critical supply-chain infrastructure rather than through any deliberate sabotage.
Timeline
A TSMC supplier connects an infected new fabrication tool to the network without scanning it, introducing a WannaCry variant.
The worm spreads via the EternalBlue SMB exploit across thousands of unpatched Windows 7 machines running the tool-automation interface, crashing and rebooting systems endlessly.
TSMC takes emergency steps as fabs in Hsinchu, Taichung, and Tainan shut down through the weekend.
TSMC restores about 80% of affected tools and confirms a WannaCry variant, not a targeted attack, was responsible.
TSMC announces full recovery and estimates a roughly 3% hit to Q3 revenue, about $170 million in losses.
Sources
- securityweek.comhttps://www.securityweek.com/chip-giant-tsmc-says-wannacry-behind-production-halt/
- thehackernews.comhttps://thehackernews.com/2018/08/tsmc-wannacry-ransomware-attack.html
- sst.semiconductor-digest.comhttps://sst.semiconductor-digest.com/2018/08/tsmc-wannacry-infection-forces-shutdowns-financial-losses/
- bloomberg.comhttps://www.bloomberg.com/news/articles/2018-08-04/tsmc-takes-emergency-steps-as-operations-hit-by-computer-virus