Do you know I know? BMW staff let the attackers move freely inside their network

• The group used both Windows and Mac malware in its campaigns delivered to the victims via watering hole attacks.
• A group of experts believe that the group was after intellectual property for its government and to help state-owned companies.

With a mere glimpse of what is at stake in the automotive industry cybersecurity-wise, there are many attack . Recently, the notorious APT32 group, also known as “Ocean Lotus,” was found infiltrating the networks of two car manufacturers: Bayerische Motoren Werke AG, better known as BMW, and Hyundai Motor Company.

An overview of APT32

Active since at least 2012, the group targets organizations across multiple industries, foreign governments, journalists, and dissidents.

• Experts have seen vested interest of the group in the favor of Vietnam’s manufacturing, consumer products, and hospitality sectors.
• It has also targeted peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.
• The Cobalt Strike platform was developed for Adversary Simulations and Red Team Operations, but it has also become popular among threat actors over the past years (including APT29 and FIN7).

What do we know?

According to German media, APT32 group, also suspected to have ties to the Vietnamese government, breached the networks of the car manufacturers BMW and Hyundai.

• The intrusion was reportedly aimed at stealing automotive trade secrets.
• The attackers managed to deploy the Cobalt Strike hacking tool “Cobalt Strike” in the target network.
• They used both Windows and Mac malware in its campaigns, via watering hole attacks.

“The attack the alleged Vietnamese hacker group began in the spring of 2019. Last weekend, the automobile company from Munich finally took the computers concerned off the grid. Previously, the group’s IT security experts had been monitoring the hackers for months. This is the result of research by the Bayerischer Rundfunk.” reported the Bayerischer Rundfunk (BR). “Also on the South Korean car manufacturer Hyundai, the hackers had it apart.”

Do you know I know

The attackers were originally spotted months ago by the BMW staff.

• Upon detection, the staff attempted to monitor attackers while they attempted lateral movements in the breached networks.
• A group of experts believe that the group was after intellectual property for its government and to help state-owned companies.
• BMW finally locked out the attackers at the end of November.

However, neither BMW nor Hyundai commented on the report published by the BR media outlet. Further, the same group has been linked in the past with other attacks against car vendors, including Toyota Japan, Toyota Australia, and Toyota Vietnam.