Attackers are always looking for new targets rich with data. One industry frequently targeted has been the auto manufacturers. This may take the form of patent information, technology secrets, mechanical solutions, corporate secrets, intellectual property, schematics, new systems, or other personally identifiable information. Nearly all of this is marketable on the dark web and for industrial espionage.
The number of attacks continues to grow with each month, quarter, and year. In recent history, there have been successful attacks on the OEMs. These entities hold a mass amount of data on their operations, projections, and corporate confidential data. One recent notable attack was on Toyota in Australia.
The attack was perpetrated allegedly by APT32, the Vietnamese group with ties to the Vietnamese government. The group is also known as Ocean Lotus. They have been operating since at least 2014. This group is responsible for the subject BMW breach, and they have been active with other recent attacks including Hyundai.
With an attack on a large enterprise, distinguishing when the attack actually took place or was initiated may not be as simple as it may seem. With the breach, a branch of BMW had its network compromised sometime in the spring of 2019. In this instance, BMW did detect the breach. The management did allow the attackers to maintain their presence. While this seems counter-intuitive, there was a rationale for this. They wanted to follow their actions to gauge how far the attackers were able to penetrate into the network. BMW did remove their access once they were able to understand the attack and the extent in November 2019.
Breaching a system for a global manufacturer may not be an easy task. In this case, the attackers used an indirect method, versus attacking the network head-on. The attacker’s set-up a website which appeared to be for the BMW branch in Thailand. Curiously, the same method was used successfully with Hyundai. Once connecting, Cobalt Strike infected the hosts. This is a legitimate cybersecurity assessment tool. This is used to perform assessment and penetration tests. For this use case, the tools showed any misconfigurations and vulnerabilities not patched. This allowed the attackers to gain further access into the network, monitor and control systems, gaining login credentials, and increasing the infected areas. They also installed a backdoor into the breached network, which was how they were detected.
BMW noted no sensitive data was access by the attackers, which is positive.
This successful attack shows the importance of working with the staff. The staff needs to understand how important cybersecurity is and how it is everyone’s responsibility. This isn’t to be addressed once a year with the mandatory training. The training should reinforce the issues with websites and what can happen when the wrong website is visited. Attention detail is important.
Cimpanu, C. (2019, December 6). BMW and Hyundai hacked by Vietnamese hackers, report claims. Retrieved from https://www.zdnet.com/article/bmw-and-hyundai-hacked-by-vietnamese-hackers-report-claims/
EHacking News. (2019, December 7). BMW and Hyundai networks compromised by Vietnamese hackers. Retrieved from https://www.ehackingnews.com/2019/12/bmw-and-hyundai-networks-compromised-by.html
Gatlan, S. (2019, December 6). BMW infiltrated by hackers hunting for automotive trade secrets. Retrieved from https://www.bleepingcomputer.com/news/security/bmw-infiltrated-by-hackers-hunting-for-automotive-trade-secrets/
NewtonBaba. (2019, December 7). BMW & Hyundai hacked by Vietnamese hackers-Report. Retrieved from https://www.newtonbaba.com/bmw-hyundai-hacked
Paganini, P. (2019, December 7). Alleged Vietnamese ocean lotus (APT32) hackers breached the networks of the car manufacturers BMW and hyundai to steal trade secrets. Retrieved from https://securityaffairs.co/wordpress/94805/hacking/ocean-lotus-hacked-BMW-hyundai.html
Toulas, B. (2019, December 7). Vietnamese
hackers “APT32” hacked Hyundai and BMW. Retrieved from https://www.technadu.com/vietnamese-hackers-apt32-hacked-hyundai-bmw/86959/
About the Author:
Charles Parker II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to madium-sized businesses to mitigate and remediate their issues, and preparing it and info sec policies and procedures. Dr. Parker's background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!