Skip to content
Posted in

Case Study

Case Study: The 2023 MSI Code Signing Data Theft

Posted byAryan Kumar 11 Minutes
MSI

In April 2023, Micro-Star International (MSI), a renowned Taiwanese manufacturer of laptops, motherboards, and graphics cards, fell victim to a ransomware attack perpetrated by the Money Message gang. The breach resulted in the theft and subsequent leakage of private code signing keys on the dark web, posing a significant threat to the security of MSI’s products and the broader technology ecosystem. These keys, critical for verifying the authenticity of firmware updates, could enable attackers to distribute malicious firmware disguised as legitimate updates, potentially leading to devastating supply chain attacks.

Code signing is essential for digital security, ensuring software and firmware remain trustworthy. The MSI breach highlighted vulnerabilities in key management, raising concerns about attackers bypassing security features like Intel Boot Guard (Press Release). This blog explores the MSI code signing theft, its consequences, and how Encryption Consulting’s CodeSign Secure could have mitigated these risks. 

Company Overview 

Micro-Star International (MSI), founded in 1986, is a globally recognized Taiwanese technology company headquartered in New Taipei City. MSI has established itself as a leader in the gaming and professional computing markets, offering a diverse portfolio of products including motherboards, graphics cards, laptops, desktops, all-in-one PCs, servers, industrial computers, consumer and gaming peripherals, and barebone computers. The company is particularly renowned for its high-performance gaming hardware, with motherboards supporting the latest Intel and AMD processors and graphics cards powered by NVIDIA and AMD GPUs.  

With operations spanning over 120 countries, MSI employs thousands of people and has built a reputation for innovation and quality. Its strong presence in the esports community, sponsoring professional gaming teams and tournaments, underscores its market leadership. For a hardware vendor like MSI, firmware signing is a critical security function, as it ensures that only legitimate and untampered firmware can run on their devices, forming the foundation of a secure boot process. 

It’s worth noting that prior to this incident, some security researchers had already highlighted gaps in MSI’s security practices, such as firmware updates that, at times, made Secure Boot less effective by changing default settings to “Always Execute” rather than enforcing signature verification. However, the 2023 ransomware attack that compromised its code signing keys highlighted significant cybersecurity challenges, revealing the need for strong protection of critical digital assets to safeguard digital information.  

Nature and Timeline of Breach 

In April 2023, MSI disclosed a ransomware attack by the Money Message gang, a cybercriminal group known for targeting high-profile organizations. The breach, which occurred in March 2023, resulted in the theft of approximately 1.5 terabytes of sensitive data, including proprietary source code and private code signing keys. These keys are essential for verifying the authenticity and integrity of MSI’s firmware updates, and their compromise posed a significant security risk.  

The attackers, after infiltrating MSI’s systems, demanded a ransom of $4 million. When MSI refused to pay, the Money Message gang leaked the stolen data on their dark web portal. The leaked data included: 

  • Firmware signing keys for 57 different PCs, used to sign UEFI firmware updates.
  • Intel Boot Guard keys for 116 MSI products, including those based on Intel’s 11th (Tiger Lake), 12th (Alder Lake), and 13th (Raptor Lake) generation processors.

The leaked Intel Boot Guard keys were identified as OEM private keys (Key Manifest and Boot Policy Manifest private keys). These are generated by the Original Equipment Manufacturer (OEM), in this case, MSI, and are then “fused” into the chipset, making them integral to the platform’s trusted boot chain.  

These keys are critical for ensuring that firmware updates are legitimate and untampered. Their theft raised alarms about the potential for attackers to create and distribute malicious firmware updates that could bypass security measures like Intel Boot Guard, a hardware-based feature designed to protect the boot process.  

DateEvent
March 2023 Money Message gang infiltrates MSI’s systems, deploying ransomware and exfiltrating 1.5 terabytes of data, including code signing keys. 
April 2, 2023 MSI publicly discloses the cyberattack, initially claiming minimal operational impact. 
Post-April 2, 2023 After MSI refused to pay the ransom, the attackers leaked the stolen data on the dark web, including firmware signing keys and Intel Boot Guard keys. 
April 2023 OnwardSecurity researchers analysed the leaked data, confirming the severity of the key compromise and its potential impact on system security. (Report

Challenges 

The MSI code signing data theft presented several complex challenges that amplified its severity and made mitigation difficult. The irrevocability of firmware keys was a significant hurdle, as these keys are often hardcoded into hardware or firmware images. This happens because certain critical keys, particularly those forming the root of trust, are “burned” into one-time programmable (OTP) fuses within the system’s chipset (like the Platform Controller Hub – PCH) or a Trusted Platform Module (TPM) during the manufacturing process. This means they cannot be easily revoked or replaced without updating the hardware itself, which is impractical for many users. This posed a persistent risk, as compromised devices remained vulnerable to attacks. 

Another challenge was the potential for supply chain attacks. With the stolen keys, attackers could create malicious firmware updates that appear legitimate, allowing them to distribute malware through trusted channels. Such attacks could compromise the boot process of affected devices, enabling persistent infections that are difficult to detect or remove. The impact on Intel Boot Guard, a hardware-based security feature, was particularly concerning, as the compromise of MSI’s Boot Guard keys meant attackers could sign malicious firmware that bypasses this protection, rendering it ineffective on affected devices. 

Once Intel Boot Guard is compromised, there is no secure boot fallback mechanism within the hardware itself to prevent the execution of unauthorized firmware. This significantly elevates the risk of sophisticated rootkits and bootkits being installed, which operate at a level below the operating system, making them extremely difficult for traditional antivirus and host-based security solutions to detect and remove. 

Customer trust and reputation were also at stake, with the breach eroding confidence in MSI’s security practices. The company had to work to reassure its customers that the breach was contained and that steps were being taken to mitigate the risks. Technical remediation efforts required extensive audits to ensure no malicious firmware had been distributed and that MSI’s systems were secure against further attacks, demanding significant resources and expertise. 

Legal and regulatory implications added another layer of complexity, as the theft of sensitive data could have ramifications under data protection laws, although MSI stated no customer data was compromised. The breach also brought to light potential weaknesses in MSI’s internal audit and alerting mechanisms for critical digital assets, suggests a possible lack of continuous tamper-evident logging for key usage and access, or insufficient integration of such logs into a Security Information and Event Management (SIEM) system for real-time monitoring and alerting of suspicious activities related to code signing infrastructure. 

Enterprise Code-Signing Solution

Get One solution for all your software code-signing cryptographic needs with our code-signing solution.

Book a Demo

Impact

The MSI code signing data theft had far-reaching consequences, affecting MSI, its customers, and the broader technology ecosystem. The primary concern was the security risks for users, as attackers could use the stolen keys to sign and distribute malicious firmware updates. This is particularly dangerous because firmware-level malware, such as the infamous LoJax or the more recent MoonBounce, can embed itself deep within the Unified Extensible Firmware Interface (UEFI) in the SPI flash memory, effectively operating below the operating system level.

Once signed with legitimate keys, these types of threats become incredibly difficult to detect and remove, often surviving operating system reinstallation, hard drive replacement, and even factory resets, making them a persistent and stealthy rootkit. Such updates could allow attackers to gain persistent access to systems, steal sensitive data, or even render devices inoperable, for both individual consumers and large organizations.  

  • The breach highlighted vulnerabilities in the software supply chain, particularly in the firmware update process. Since the attackers were able to compromise code signing keys, they had the ability to insert malware into the supply chain, affecting multiple organizations and devices, with the global cost of supply chain attacks estimated at $46 billion as of 2023 (Report).
  • Reputational damage was significant for MSI, as the incident likely affected customer confidence and market share. The company had to address concerns from customers and partners about the security of its products, which potentially impacted future sales.
  • Financial costs included expenses for investigating the incident, implementing remediation measures, and potentially compensating affected parties. The breach led to long-term financial impacts if customers switched to competitors due to security concerns.
  • Industry-wide implications were notable, with the incident serving as a wake-up call for the technology sector about the importance of securing code signing keys. It prompted discussions about improving key management practices and enhancing security measures for firmware updates.
  • Ongoing risks persist, as the compromised keys cannot be easily revoked, leaving devices using affected keys vulnerable unless users update their firmware, which may not always be possible.

Encryption Consulting’s CodeSign Secure 

At Encryption Consulting, we specialize in securing cryptographic assets and protecting organizations from threats like the MSI code signing data theft. Our CodeSign Secure solution provides a robust, flexible, and future-proof solution to safeguard code signing processes. The MSI code signing data breach could have been prevented or significantly mitigated through advanced key protection, automation, and compliance features.  

Our CodeSign Secure platform is designed to streamline and secure the entire code signing lifecycle, ensuring that private keys are protected from theft or misuse. By integrating with industry-leading Hardware Security Modules (HSMs), such as Thales, Utimaco, nCipher, and Fortanix, CodeSign Secure ensures that cryptographic keys are generated, stored, and used in a tamper-resistant environment compliant with FIPS 140-2 Level 3 standards. This eliminates the risk of key exposure, even in the event of a system compromise, as keys never leave the HSM. Some other features of CodeSign Secure are: 

  • Automated Code Signing Workflows: CodeSign Secure integrates seamlessly with CI/CD pipelines, such as Azure DevOps, Jenkins, and GitLab, automating the signing process while enforcing strict policies. This includes support for signed firmware pipelines, ensuring that not only application binaries but also critical firmware updates are securely signed as part of the automated build and release process, reducing human error and ensuring that only authorized personnel can initiate signing operations, preventing unauthorized key usage.
  • Granular Access Controls: Our platform features Role-Based Access Control (RBAC) and multi-factor authentication (MFA), along with M of N quorum approvals, to restrict key access to authorized users. This ensures that only trusted personnel can access code signing keys, mitigating risks from phishing or insider threats.
  • Comprehensive Audit Trails: It also provides detailed, signed audit logs for all signing events, enabling real-time visibility and forensic analysis. Proper logging and reporting allow you to detect suspicious activity early, facilitating a faster response to the breach. Additionally, our support for secure timestamps (RFC 3161 and Authenticode standards) ensures long-term signature validity, enhancing trust and compliance.
  • Post-Quantum Cryptography (PQC) Readiness: CodeSign Secure v3.02 supports NIST-approved PQC algorithms like ML-DSA and LMS, preparing organizations for quantum threats. Integrating PQC early in your organisation’s software releases will make it futureproof and will add an extra layer of security, ensuring resilience against emerging cryptographic risks.
  • Regulatory Compliance: Our solutions align with stringent standards, including FIPS 140-2, CA/Browser Forum, and GDPR, ensuring organisations meet regulatory requirements while protecting their supply chain. Integration with vulnerability scanners and Software Bills of Materials (SBOMs) further enhances compliance and transparency by providing a detailed overview of the issues that a software may contain.

Conclusion 

The MSI code signing data theft of 2023 was a pivotal event that exposed the critical vulnerabilities in managing cryptographic keys. The theft of firmware signing and Intel Boot Guard keys by the Money Message gang created a persistent threat to MSI’s customers and the broader technology ecosystem, with the potential for devastating supply chain attacks. The challenges of revoking embedded keys and restoring trust showed the complexity of addressing such breaches. 

This incident displayed the paramount importance of “zero-key export” policies and robust hardware-based security for critical keys, ensuring they can never be extracted from their secure environment. To prevent similar incidents, organizations must adopt a proactive and continuous security assessment approach, including periodic firmware signing audits, regular key rotations, and comprehensive threat modelling exercises to identify and mitigate potential attack vectors before they are exploited. 

Solutions such as Encryption Consulting’s CodeSign Secure and HSM as a Service could have prevented this incident by securing keys in tamper-resistant HSMs, automating workflows, and enforcing strict access controls. This breach serves as an alarming call for organizations to prioritize code signing security and adopt robust solutions to protect their digital assets. As cyber threats evolve, proactive measures, expert guidance, and industry collaboration are essential to safeguarding trust in the digital world. 

Explore

More Topics