Vietnamese hacking group Ocean Lotus breached BMW and Hyundai

Malicious actors managed to implant Cobalt Strike software into car manufacturers' computers

A well-known Vietnamese hacking group Ocean Lotus breached BMW and Hyundai systems

One of the major car manufacturers BMW and Hyundai networks' has been infiltrated by hacking group Ocean Lotus (otherwise known as APT32), which is believed to have ties with the Vietnamese government. As announced by German reporters from Bayerischer Rundfunk^[1] and Taggesschau, the intrusion occurred at some point during the spring of 2019.

The attack was discovered by BMW as soon as penetration testing toolkit Cobalt Strike was spotted on one of the firm's computers – the commercially licensed application has its legitimate uses, but it is often abused by malicious actors that want to access their targets and spy on them. According to BR, the automotive industry giant did not immediately stop the hacking activities and was monitoring the actions for months, until Cobalt Strike was finally taken down at the end of November.

The news outlet claims that Ocean Lotus also went for the Korean car manufacturer Hyundai, although not many details are provided about it. In the meantime, BMW did not comment on the event, but is providing a general statement about its network security:

We have implemented structures and processes that minimize the risk of unauthorized external access to our systems and enable us to quickly detect, investigate and recover in the event of an incident

BMW and Hyundai are both leading car manufacturers worldwide, the combined yearly revenue of which reaches approximately 178 billion US dollars.

No vital network information accessed by hackers

The anonymous source that is most likely working for the BMW informed the Munich-based Bayerischer Rundfunk about the incident. According to the source, the automotive company decided to not stop the attackers from performing their activities on the compromised networks in order to find out more information about who they are and what they were seeking. As a result, no sensitive information was extracted by malicious actors from BMW, and no computers at the headquarters were affected.

BR reported that Hyundai was a victim of the same campaign, although the company also refused to comment, so the peculiarities of the attack are unknown, as well as whether any sensitive information was stolen by attackers.

Ocean Lotus/APT32 – a well known actors in the illegal hacking group business

Ocean Lotus, the group that is believed to be responsible for the snooping attack, is a well-known actor who previously targeted various foreign companies within Vietnam and other Southeast-Asian countries and has been active since 2014. Nevertheless, since 2017, the Ocean Lotus is known to be focusing on the automotive industry. The group has previously utilized Mimikatz, WINDSHIELD, Denis, and Cobalt Strike, among other software, to perform malicious activities.^[2]

Before the incident of BMW and Hyundai came to light, it was publicly announced^[3] that Toyota Australia, Toyota Japan, and Toyota Vietnam suffered from similar intrusions. As a result, more than 3.1 million Toyota's customers' data was exposed and leaked online.^[4] Ocean Lotus also compromised 21 websites in November 2018, some of which belonged to governmental institutions.^[5]

According to many experts reports, it is believed that Vietnam is using cyber espionage campaigns in order to steal foreign intellectual property for the use of state-funded organizations. The example is taken from China, as it used hacking campaigns to acquire sensitive information from the airplane manufacturing sector abroad.^[6]

German Association of the Automotive Industry warned German companies in summer about the Ocean Lotus espionage attacks against the automotive industry.