The German automotive giant BMW discovered and monitored a group of hackers who infiltrated the company's networks and stayed active since at least the spring of 2019.

BMW's security team spotted the hackers after discovering an instance of the legitimate penetration testing tool Cobalt Strike on a company computer, a tool regularly used in red team testing scenarios to simulate adversaries.

Hackers monitored for months

Following the discovery, the hackers were allowed to stay active with the probable end purpose of collecting more info on who they were, how many systems they managed to compromise, and what data they were after, if any, as Munich-based Bayerischer Rundfunk's reports.

Last weekend, after keeping a close eye on their activities, BMW's security team finally took down the compromised computers, blocking the attackers' access to the network.

Based on the details that already surface, no sensitive information should have been accessed by the hackers during the attack and no BMW headquarters computers were compromised according to an anonymous security expert cited as a source by BR.

While BMW refused to comment on this specific attack, they did provide BR with the following statement:

We have implemented structures and processes that minimize the risk of unauthorized external access to our systems and allow us to quickly detect, reconstruct, and recover in the event of an incident.

Hyundai also targeted

The networks of South Korean car manufacturer Hyundai were also under attack as part of the same campaign, BR reports. There are no details regarding this specific incident and Hyundai refused to provide any comments when contacted.

The tools and TTPs (Tactics, Techniques and Procedures) used by the hackers during the attacks lead to the OceanLotus advanced persistent threat (APT) group (aka as APT32 or Cobalt Kitty), an APT with an affinity for auto industry targets as of late.

Vietnamese-backed threat groups tracked as 'Buffalos' were also connected by threat intelligence and cyber attack response services company Crowdstrike to attacks against automotive targets in a report published in October.

According to some security experts, APT32 might have also been behind a security breach of multiple Toyota and Lexus sales subsidiaries that eventually resulted in the personal info of around 3.1 million Toyota customers being exposed and potentially leaked.

Dror-John Röcher of the German managed security service provider Cybersicherheitsorganisation (DCSO) also says that the hacking group's move into targeting automotive entities has been observed right after the Socialist Republic of Vietnam decided to get into building its own 'Vinfast' cars through the Vingroup Joint Stock Company conglomerate.

APT32 is a known Vietnamese-backed hacking group that previously targeted "foreign companies investing in Vietnam’s manufacturing, consumer products, consulting and hospitality sectors."

Several attacks on research institutes from around the world, on media organizations, various human rights organizations, and Chinese maritime construction firms have also been attributed to this threat group in the past [1234567]

Bleeping Computer reached out to BMW and Hyundai asking for more details on how the attacks took place but had not heard back at the time of this publication.

H/T Günter Born

Related Articles:

FIN7 targets American automaker’s IT staff in phishing attacks

Germany warns of 17K vulnerable Microsoft Exchange servers exposed online

Russian hackers target German political parties with WineLoader malware

Darknet marketplace Nemesis Market seized by German police

Flipper Zero makers respond to Canada’s ‘harmful’ ban proposal