Introduction
The automotive industry has long attracted cyber threat groups due to its expansive reach, encompassing vehicle manufacturing technologies and critical operational infrastructures. As one of the largest global industries, the automotive sector offers cybercriminals lucrative opportunities for espionage and financial gain. Our analysis, drawing on public sources from January 2023 to February 2024, identified 30 cybersecurity incidents targeting various facets of the automotive industry, including suppliers, manufacturers, dealers, and integrators.
Predominantly, these incidents involved ransomware attacks by notorious groups such as LockBit, Black Basta, and Qilin, as illustrated in Figure 1. This data suggests that the attacks were financially motivated and indiscriminate in nature. Employing a double extortion strategy, attackers not only encrypted high-value files but also exfiltrated data, compounding the threat to targeted organizations.
It’s noteworthy that these threat actors often exploit widespread vulnerabilities, known as 1-day vulnerabilities, or employ social engineering tactics to breach the internal networks of their targets, proceeding directly to ransomware deployment. In these cases, keeping perimeter assets up-to-date and ensuring proper cybersecurity training can mitigate most attacks.
However, our findings also reveal six incidents outside the ransomware domain, involving Advanced Persistent Threat (APT) groups that deploy sophisticated tactics to infiltrate their targets. These incidents highlight the need for automotive companies to implement tailored defensive strategies, including the adoption of advanced threat detection and response measures, to effectively counter these more strategic threats.
Figure 1: Ransomware Attacks on the Automotive Industry (January 2023 – February 2024)
Understanding APT32’s Targeted Espionage in the Automotive Sector
In the absence of forthcoming data from the victimized companies, our analysis will center on dissecting historical and seminal cyberattacks within the automotive sector. This examination of APT groups, such as APT32, sheds light on the resilience strategies employed by the automotive industry to fend off such sophisticated threats.
APT32, also known as the OceanLotus Group, demonstrated a marked preference for targeting the automotive industry in 2019, with the apparent aim of stealing trade secrets. This inclination is widely interpreted as an effort to bolster Vietnamese domestic automotive policies through clandestine means [1] [2] [3].
Historically, APT32 has engaged in espionage against a broad spectrum of targets, including private sector entities, foreign governments, dissidents, and journalists. In a strategic pivot, the group has recently intensified its focus on the automotive sector, breaching networks of car manufacturers to exfiltrate automotive trade secrets—a primary objective of their campaign.
APT32’s modus operandi, which aligns with state-sponsored interests, incorporates a comprehensive array of tactics cataloged within the MITRE ATT&CK framework. To facilitate understanding, we’ve distilled their complex attack methodology into a simplified process, depicted in Figure 2.
Figure 2: APT32 Attack Process Simplified
Strengthening Cybersecurity Across Windows, MacOS, and Linux
In the landscape of cybersecurity threats, APT groups stand out due to their highly targeted and sophisticated methods. Unlike the broad-brush approach typical of conventional ransomware attacks, APT groups, such as APT32, meticulously craft their attacks to exploit the unique vulnerabilities of their targets. This customization extends to the development of malware that seamlessly operates across various operating systems—Windows, MacOS, and Linux—underscoring the versatility and technical ingenuity of these threats.
A case study by Trend Micro unveils a particularly elaborate example of this approach: a backdoor specifically designed to infiltrate MacOS computers [4]. This backdoor is initially spread through a seemingly innocuous Word document containing malicious macros. Once a device is compromised, the malware ingeniously leverages native MacOS commands to pilfer data. In a further display of sophistication, it assigns a unique identifier to each infected machine by generating an MD5 hash from the outputs of specific MacOS commands. This method is not just about gathering data; it’s designed to slip past defense mechanisms by masquerading as legitimate traffic.
Figure 3: Trend Micro Deobfuscated Perl Payload from the Delivery Document
With its diverse reliance on different operating systems based on project requirements, the automotive industry presents a broad attack surface for these APT groups. Employees in this sector may use Linux, Windows, or MacOS, each offering unique entry points for attackers. This diversity underscores a critical vulnerability: as APT groups enhance their malware, the risk of having internal networks of automotive companies penetrated increases significantly. Thus, it’s imperative for these companies to bolster their cybersecurity defenses across all operating systems with the equal vigor. Beyond mere attention to MacOS and Linux, there’s a pressing need for comprehensive Operational Technology (OT) visibility. Such a holistic approach is essential not only for detecting but also for effectively containing and neutralizing these threats.
Cobalt Strike Deployed in the Target Network
In the shadowy realm of cyber threats, APT groups like APT32 have honed a particularly insidious technique: the deployment of Cobalt Strike beacons on the devices they compromise. This tool is not unique to APT32—other notorious groups such as Chimera, APT29, and Leviathan also utilize it for what’s known in the cyber world as ‘post-exploitation’ activities. Essentially, once they’ve breached a device, these beacons serve as their eyes and ears within the compromised system.
Cobalt Strike represents the pinnacle of malicious innovation. Marketed commercially as a comprehensive remote access toolkit, it offers attackers a broad spectrum of capabilities—ranging from discovering valuable data within the network, evading detection by security software, escalating their access privileges, to exfiltrating sensitive information. Its versatility is further underscored by its compatibility across Windows, MacOS, and Linux platforms. Figure 4 shows a sample of interacting with victim’s desktop [5].
Figure 4: A Sample of Cobalt Strike Interactions with Victim’s Desktop
When considering the automotive industry, a sector increasingly reliant on the integration of Information Technology (IT) and Operational Technology (OT) for automated manufacturing and cloud computing, the threat posed by tools like Cobalt Strike becomes particularly acute. The flexibility in operating systems used by employees—based on project needs—widens the potential attack surface [6]. This scenario underscores a critical challenge: as automotive companies advance towards more automated and flexible production processes [7] [8], their IT and OT environments become enticing targets for APT groups equipped with sophisticated tools like Cobalt Strike.
Figure 5: Threat Groups Attack Scenario on Automotive Industry
Imagine the automotive industry as a battlefield in the digital realm, where attackers and defenders are constantly evolving. Figure 5 shows an attack example that threat groups might have used for automotive industry targets. The first step in an attack, as illustrated in our example, involves the meticulous gathering of e-mail addresses from potential targets within the automotive sector. Attackers then cunningly utilize popular cloud storage services like Dropbox, Amazon S3, and Google Drive to host their malicious tools—a common tactic among APT groups. These groups often initiate their incursion through two primary methods: drive-by compromises, which trick users into downloading malware by merely visiting a compromised website, or spearphishing emails, which are tailored messages designed to deceive recipients into opening harmful attachments or links.
In more sophisticated attacks, often at the level of nation-state sponsored APTs, zero-day vulnerabilities—previously unknown software flaws—may be exploited, particularly in high-stakes targets like the energy sector. Once an unsuspecting employee inadvertently introduces malware into their system, the stage is set for the attackers to deploy Cobalt Strike beacons. These beacons are not just tools for establishing a foothold; they are Swiss Army knives for cyber criminals, capable of exploiting vulnerabilities, disguising malicious files, pilfering data, and communicating with a command-and-control (C&C) server to receive further instructions.
The ultimate prize for these attackers often includes automotive trade secrets and intellectual property, valuable assets that can provide competitive advantages or be sold for a high price on the dark web. The situation escalates when attackers manage to move laterally within a company’s network, eventually compromising critical systems that control automated manufacturing processes. The ramifications of such breaches can be catastrophic, leading not just to the loss of sensitive information but potentially bringing production lines to a standstill.
Research by TXOne Networks sheds light on the multifaceted cyber threats facing automotive factories and underscores the significant financial and operational risks associated with such security breaches. These findings serve as a stark reminder of the need for robust cybersecurity measures in an industry increasingly reliant on digital technologies and interconnected systems.
Conclusion
In the last 30 cybersecurity incidents affecting the automotive industry from January 2023 to February 2024, we’ve observed that the majority were random ransomware attacks. However, there were 6 incidents that didn’t involve ransomware, some of which even resulted in production stoppages.
Compared to random ransomware attacks, Advanced Persistent Threat (APT) attacks often employ sophisticated strategies to compromise their targets. These attackers not only conduct extensive reconnaissance on their targets but also use advanced tools like Cobalt Strike for in-depth post-exploitation activities, posing a significant risk to production continuity and the security of intellectual property.
With the automotive industry embracing Industry 4.0, the integration of IT and Operational Technology (OT) environments is becoming increasingly common. When IT environments are targeted by state-sponsored APT attacks, even regulated OT environments can be at risk of lateral movement attacks. It is well-known that if threat actors gain access to the OT environment, they can disrupt production lines. Stealing trade secrets and intellectual property is also a primary objective for these attackers.
The possibility of threat actors penetrating OT systems and disrupting manufacturing processes highlights the need for a strong defense strategy. Automotive companies need to expand their cybersecurity measures to include not just Windows but also MacOS and Linux systems, ensuring comprehensive protection of all digital assets. Protecting OT environments is equally crucial, necessitating an awareness of their vulnerability to compromise. Adopting a “never trust, always verify” mindset is essential. This zero-trust approach requires strict verification of all users, devices, and processes, with access denied by default until legitimacy is established.
To effectively counter these complex threats, automotive firms must thoroughly understand and monitor their OT networks. By adopting a proactive approach, they can identify and neutralize potential cyber threats before they cause damage, ensuring the industry’s progress and the protection of its valuable assets.
Reference
[1] Julia Sowells, “Yet Again! Cyber Attack on Toyota Car Maker – Data breach”, HackerCombat, April 2, 2019.
[2] Kayla Matthews, “Incident of the week: Toyota’s second data breach affects millions of drivers”, Cyber Security Hub, August 29, 2023.
[3] LIFARS, “APT32 in the Networks of BMW and Hyundai”, LIFARS, December 21, 2019.
[4] Jaromir Horejsi, “New MacOS backdoor linked to OceanLotus found”, Trend Micro, April 4, 2018.
[5] Fortra, “Screenshots | Cobalt Strike”, Fortra, July 25, 2023.
[6] Kevin Bostic, “BMW to deploy iPads and mimic Apple Genius program to serve customers”, AppleInsider, February 11, 2013.
[7] Robbie Dickson, “How Industry 4.0 could Revolutionizing EV Manufacturing”, Firgelli Automations, July 5, 2023.
[8] Amazon Web Services, “Volkswagen Takes Production to the Cloud”, Amazon Web Services, Accessed March 15, 2024.
