The Ocean Lotus Hackers Group, aka APT32, has managed recently to penetrate the computer networks of BMW and Hyundai. The Vietnamese government also appears to be involved in this attack.

According to the German media BR24, the car manufacturers BMW and Hyundai have been targeted by cyberattacks emanating from the well known APT32 hackers' group. If BR24 does not give details about the piracy of Hyundai by APT32, the German media is giving some details concerning BMW.


THE HACKERS WOULD HAVE MANAGED TO PENETRATE THE FIRM COMPUTERS NETWORK

We have put in place structures and processes that minimize the risk of unauthorized external access to our systems and allow us to detect, rebuild and recover quickly in the event of an incident said the German spokesperson.

If hackers have penetrated a corporate network, they usually try to look around as inconspicuously as possible. Once a company has discovered the attackers, it's important to find out how far hackers have spread. They are watched for this, sometimes for months. "Typically, you benefit from having discovered someone to see where further compromises exist," explains Andreas Rohr of the IT security firm Deutsche Cybersicherheitsorganisation (DCSO). The goal is to throw the attacker - typically at the weekend - out of the network.

At BMW, no sensitive data should be leaked, says an IT security expert who wants to remain anonymous. Also, the hackers would not have managed to access systems at the company headquarters in Munich.

BMW claims to have monitored the activity of hackers on its network who managed to remotely install the Cobalt Strike malware, used for spying purposes and taking control of a system by activating a backdoor and create a phishing site. The car manufacturer says it blocked access to hackers by the end of November 2019.


WHAT IS COBALT STRIKE?

Cobalt Strike is a commercial, full-featured, penetration testing tool which bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATTACK tactics, all executed within a single, integrated system.

after-toyota-bmw-and-hyundai-also-targeted-by-apt32-hackers-group-1.png

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.


DO THE VIETNAMESE GOVERNMENT IS INVOLVED?

The hackers' group APT32, active since 2014, would act on behalf of the interests of the Vietnamese government to recover sensitive information from foreign dissidents, journalists but also industrial groups including those in the automotive sector. For years, the targets of APT32 included dissidents and states perceived by Vietnam as a rival or threat. It is noticeable that the group started attacking car makers at the time Vietnam started to build cars.

There is no solid evidence that the group is acting on behalf of the government, said Dror-John Röcher, a researcher for the German cybersecurity agency DCSO. However, if we look at the incidents and analyze the targets, there is strong evidence that the Vietnamese government is involved in this cyberattack.


THIS IS NOT THE FIRST TIME A CAR MANUFACTURER IS THE VICTIM OF THIS KIND OF ATTACK

Last March, the Japanese group Toyota revealed the existence of a cyberattack which generate a leak of 3.1 million customer data. At the time the Ocean Lotus group had already been suspected of being at the maneuver.