- Vietnamese hackers entered the corporate network of BMW but didn’t manage to steal anything.
- BMW claims that they closely monitored their moves, and stopped them when it was time.
- Hyundai was also compromised, and a fake website was set up, but not a lot is known about this.
As first reported by Tagesschau.de, BMW and Hyundai have been breached by hackers belonging to the Vietnamese group “APT32”, also known as “Ocean Lotus”. The particular group is thought to be supported by the government of Vietnam, and we have seen it target the automotive industry before, stealing the payment and personal information of millions of Toyota customers from Australia, Japan, and Vietnam. While there are many ways to use automaker data, experts believe that APT32 is after patent information, technical secrets, method details, clever mechanical solutions, and valuable corporate secrets in general.
According to the information that is leaking via the local media outlets, the hackers managed to install the “Cobalt Strike” tool onto a BMW computer. This is a legitimate security assessment software that can be used to perform in-depth penetration tests and find various known misconfigurations and unpatched vulnerabilities. In the case of APT32 though, the tool helped them figure out how to step further inside the corporate network, spying and controlling systems remotely, getting login information, and expanding the infection to more computers in the network. This backdoor-planting operation took place quite a while back, and allegedly, BMW realized this soon enough and chose to closely monitor the hackers instead of cutting them off right away.
BMW claims that no sensitive data has been leaked, no clients have been compromised, and no intellectual information has been accessed by hackers. Part of the reason why BMW preferred to monitor the hackers' movements instead of stopping them upon discovery was to determine how far deep they have managed to infiltrate. As for Hyundai, the same news sources mention that the South Korean automaker was also hacked by APT32, but there aren’t many details about what exactly happened in this case. The hackers used dummy websites that pretended to be official portals of the two companies in Thailand, but other than that, not much is known.
During the summer, the German Association of the Automotive Industry (VDA) distributed warning messages to German automobile companies about the risk of OceanLotus as well as Chinese hackers. Remember, Asian cyber-espionage is a big problem for German companies that operate at the forefront of technological developments. Back in April, Bayer AG discovered that the “Winnti” group, which is believed to be supported by the Chinese government, had infiltrated their corporate network since many months ago.