Executive Summary
Automobile manufacturers and retailers face numerous challenges in defending their security perimeters against cyber threats. As software becomes increasingly interwoven into the fabric of car design, cyberattacks against newer cars have become increasingly common in recent years. Hackers have successfully attacked hardware and firmware components that are built into modern cars, which can facilitate theft or remote disabling of compromised vehicles.
But automobile manufacturers face cyber threats beyond those specifically targeting their products. These high-profile attacks have received the lion’s share of media attention because they directly impact consumers, potentially obscuring more conventional network and information security threats to automotive companies. Product security threats to vehicles may be specific to firmware built by the manufacturer, whereas network and infrastructure threats are applicable to the entire industry.
Automotive companies possess infrastructure and data that both criminals and state-sponsored threat actors target for various malicious purposes. Key network and information security threats to the automotive industry include the compromise of customer and employee data for fraud, extortion, or further attacks; the disruption of manufacturing operations and supply chains and the disclosure of data in ransomware attacks; and compromised intellectual property and competitive intelligence. Threats to the automotive industry originate not only from criminals and governments, but also from insiders and security misconfigurations.
This report breaks down several of the most common and most prominent types of cyber threats that impact automobile manufacturers and retailers, including:
· Ransomware that infiltrates corporate networks and disrupts operations
· Compromised customer and employee data used in fraud and extortion scams
· Compromised or stolen intellectual property and competitive intelligence
Ransomware: Disruption and Data Disclosure
Another risk for vehicle manufacturers is the possibility of an attack that disrupts manufacturing processes or supply chains. One such scenario would involve the use of malware targeting the industrial control systems (ICS) that support assembly lines or other aspects of car manufacturing operations. As of this writing, however, there is no clearly documented evidence of such an attack in the public domain as ICS malware is unusually difficult and complex to develop and execute. Ransomware attacks on automotive manufacturers and their suppliers are a far more tangible threat as there have been documented examples of such attacks, some of which disrupted manufacturing operations or supply chains.
Honda experienced a ransomware attack in June 2020 that disrupted its customer service, financial services, and some manufacturing operations as the company responded to the incident. The perpetrators specifically targeted Honda; a sample of the Snake/EKANS ransomware submitted from a Japanese IP address around that time actively searched for internal Honda network domains to trigger the file encryption process. The ransomware would not encrypt files if it could not access those internal Honda network domains. The targeting of a vehicle manufacturer suggests that the perpetrators may have hoped that the disruption of manufacturing operations would pressure the victim to pay the ransom. Snake is unusual among ransomware families in that it targets some ICS processes for termination. It is unclear if the perpetrators used that ICS process termination capability in this attack on Honda, and if any use of such ICS capabilities contributed to the disruption of Honda manufacturing operations.
This Snake incident was not Honda’s first experience with ransomware. The global WannaCry ransomware outbreak of 2017 infected Honda, as well as the vehicle manufacturers Nissan and Renault, which are connected via an alliance. Those WannaCry infections of the three automotive companies also disrupted some of their respective manufacturing operations.
Ransomware attacks can disrupt vehicle manufacturing operations indirectly via disruptions of their suppliers. For example, in September-October 2019, Subaru of Indiana Automotive and Heartland Automotive, both of which are in Lafayette, Indiana, temporarily shut down manufacturing operations in connection with “a supplier issue” and a ransomware incident.
In February 2019, Toyota Australia disclosed that it experienced a disruptive security incident. The company did not describe the type of attack, but the description of its impact is consistent with that of a ransomware attack. The incident yielded no evidence of any data compromise but did result in the outage of enterprise networks and delays in vehicle servicing at some dealerships due to a disruption in the supply of parts.
Car parts manufacturer Gedia Automotive Group in Germany activated an emergency plan to continue supplying its vehicle manufacturing customers when REvil ransomware, also known as Sodinokibi, infected its networks in 2020. Gedia produces lightweight chassis parts for cars. The attack and the incident response forced Gedia to shut down its own manufacturing operations. The attackers later disclosed 50 GB of Gedia data, including schematics, employee PII, and customer details, when the company refused to pay the ransom.
Tesla was the target of an unsuccessful August 2020 attempt to infect the company with ransomware via a prospective insider. That prospective insider instead decided to cooperate with the company and US law enforcement to thwart the attack. He nonetheless continued to engage a representative of the ransomware operators only to learn more about them, despite their offers of $500,000 to $1 million for his cooperation. The ransomware operators were Russian and accordingly approached a fellow Russian working at Tesla. They would have directed the insider to infect Tesla’s network with a malicious USB drive or by opening a malicious email attachment. A representative of the ransomware operators claimed that they had used insiders to attack other companies, collecting ransoms as high as $4.5 million. The ransomware operators even offered to frame an employee the insider disliked for the attack. The attackers would have conducted a DDoS attack on Tesla as a diversion to distract Tesla security teams from the main attack. The ransomware operators would have threatened to disclose compromised data if Tesla refused to pay the ransom.
Threats to disclose compromised data, in addition to the encryption of files, have become an increasingly common component of ransomware attacks on enterprise networks. The purpose of these data disclosure threats is to increase pressure on victims to pay ransoms, beyond the pressure to recover encrypted files. The disclosure of compromised files can harm businesses in a variety of ways, including reputational damage, the exposure of intellectual property or competitive intelligence, and the costs of mitigating identity theft or other forms of fraud.
Operators of the Maze ransomware family have been among the pioneers of such data disclosure add-ons to ransomware attacks, and their targets have included car dealerships. IntSights coverage of dark web criminal forums revealed that Maze operators disclosed data, including legal documents, in September 2020 that they claimed to have obtained from an attack on a Canadian car dealership. Similarly, in July 2020, Maze actors published a sample of what they described as data from a breach of Pennsylvania-based Bennett Automotive Group, which runs car dealerships. That data included tax forms and copies of employee identity documents. Previously, in June 2020, Maze actors published samples of data that purportedly came from a breach of Caldwell Toyota, a car dealership in Arkansas.
Figure 1: Maze threat actors publish data they claimed to have obtained from an attack on a Canadian car dealership.
Operators of the REvil ransomware family, also known as Sodinokibi, have also incorporated data disclosure into their ransomware tactics. IntSights coverage of dark web forums revealed that, in September 2020, REvil actors disclosed data that they claimed to have obtained from an attack on an Indiana-based manufacturer of automotive components. The data included accounting information.
Figure 2: Data stolen from an Indiana-based manufacturer of automotive components
In August 2020, REvil/Sodinokibi actors also disclosed data from a purported breach of US-based Brown Automotive Group, which runs car dealerships.
Figure 3: Data stolen in a breach of the Brown Automotive Group
IntSights researchers found another data disclosure from another Indiana-based automotive supply chain company in August 2020. The attackers claimed to have breached the supply chain integrator Mahomed Sales and Warehousing (MSW) and published the company’s data because it refused to pay ransom. The 5 GB of data covered finances, payroll and benefits, employee PII, medical and safety issues, and other topics.
In May 2020, operators of CLOP ransomware also targeted an automotive company via data disclosure. The target of this attack was INRIX, which provides real-time and location-based traffic data and analytics to vehicle manufacturers and road authorities. The 46 GB of exposed data included customer and financial data and payroll information.
Figure 4: Stolen data from location-based traffic data provider INRIX
Our research also revealed compromised data from two other automotive companies in August-September 2020: the German Volkswagen Group and US-based Bruckner Truck Sales, Inc. These attackers created a domain, “conti[.]news,” to display data, such as sales spreadsheets and invoices, that they claimed to have compromised in these ransomware attacks.
Figure 5: Leaked data from the Volkswagen Group
Compromised Customer and Employee Data for Fraud, Extortion, and Further Attacks
Criminals target enterprises in many different industries in order to compromise customer and employee data that they or third-party criminal buyers can use for a variety of malicious purposes, such as fraud, extortion, or further attacks. The value of this data or access in underground black markets varies according to its potential profitability and the level of detail that it contains. Certain sectors, such as banking and health care, are among the most popular targets, but the customer and employee data of businesses in almost any industry can become targets for compromise and enablers for fraud or further attacks. The customer and employee data of automotive companies, particularly customer data from dealerships, customer service, and financial services, can become and have become the targets of such attacks.
IntSights’ research yielded an example of the sale value of car owner data in black markets. The actor known as “greenmoon2019” sold databases of U.S. car owner data for $1,000 each, or $1,500 for both databases, in June 2020. The combination of both databases would yield up to 180 million car owner records. The databases included names, street addresses, email addresses, phone numbers, car model names, vehicle identification numbers (VINs), and leasing and service details.
Figure 6: A threat actor sells two databases of US car owner data at steep prices.
Dealerships are the most obvious point at which to collect customer data from automotive companies. In March 2019, Toyota Japan announced a breach of Japanese dealerships and sales subsidiaries that may have exposed the PII of 3.1 million customers. Toyota Japan emphasized that the potentially exposed data did not include payment card information but may have included names, dates of birth, and employment details. Details such as dates of birth and employment history are useful to identity thieves seeking to establish fraudulent lines of credit. Toyota Vietnam and Toyota Thailand announced around the same time that they had experienced security incidents but did not provide any further details.
Credit reports on car buyers requested by dealerships can be gold mines for identity thieves. Identity theft is a more lucrative form of fraud than fraudulent transactions via existing bank accounts or credit cards as it enables fraudsters to create new lines of credit that remain unbeknownst to victims for long(er) periods of time. Credit reports provide PII and financial details that can greatly facilitate the fraudulent creation of new credit lines in victims’ names. In one case, an attacker installed a keystroke logger on the workstation of a car dealership’s finance specialist. The attacker used that keystroke logger to obtain credentials that the finance specialist used to obtain customer credit reports from a credit bureau. The attacker used that unauthorized access to obtain 200 customer credit reports. The credit bureau froze the dealership’s access, required it to investigate and resolve the breach at a cost of $150,000, and further required an annual security audit of the dealership for the following five years.
Customer service operations, including those that carmakers outsource to vendors, are another potential source of consumer data. In July 2020, the South American criminal group KelvinSecTeam breached a call center providing customer service to 500,000 owners of BMW, Mercedes, Honda, Hyundai, and SEAT vehicles. The group sold access to the data in underground criminal communities. The PII included names, email addresses, street addresses, and car registration details. In 2010, a breach at a third-party vendor that sent out welcome emails to newly registered Honda customers exposed the data of millions of Honda customers. The breach included names, email addresses, and VINs for 2.2 million Honda customers and just the email addresses of 2.7 million Honda Acura owners.
The use of data disclosure threats to extort ransoms from businesses is a growing cross-industry trend that has also affected the automotive industry. These threats usually occur in conjunction with file-encrypting ransomware attacks, as in the above examples, but data disclosure threats can also occur independently. For example, Nissan Canada Finance (NCF), which finances the purchase or lease of cars from Nissan, INFINITI and Mitsubishi dealers, received a ransom demand in December 2017. The extortionist provided a sample of NCF customer data and threatened to disclose it if NCF did not pay the ransom. NCF’s investigation yielded no evidence of a data breach and indicated instead that an insider had abused legitimate access to the customer data of fewer than 300,000 NCF customers for the purpose of the extortion attempt.
Security misconfigurations by enterprises can also enable the inadvertent exposure of automotive companies’ customer and employee data. In August 2019, a security researcher discovered the exposure of 198 million automotive consumer records in an unprotected 413 GB ElasticSearch database belonging to the California-based automotive sales lead provider Dealer Leads. The exposed information included financial data points and vehicle details. The database was exposed to the open internet and required no administrative credentials for access.
Security misconfigurations in ElasticSearch databases have occurred elsewhere, including twice at Honda in the past year and a half. In December 2019, a security researcher discovered the inadvertent exposure of PII for 26,000 North American customers of Honda via an ElasticSearch database. The database was accessible via the open internet without authentication. The exposed PII included names, street addresses, phone numbers, email addresses, VINs, vehicle details, and vehicle service records. Another security researcher previously discovered another exposed ElasticSearch database at Honda in July 2019. This database exposed 40 GB of internal Honda network details for approximately 300,000 Honda employees worldwide, including the company’s CEO, CFO, and CSO, with no authentication. These details, which could have facilitated network intrusions, included hostnames, MAC and internal IP addresses, OS versions, and the status of patching and endpoint security software. One pointedly named table, “uncontrolledmachine,” listed
those machines that had no endpoint security software.
The misconfiguration of third-party cloud services poses another risk, as another example of exposed Honda customer data demonstrates. In May 2018, Honda India exposed the data of 50,000 users of the company’s Honda Connect mobile vehicle management and customer service app on two public AWS S3 buckets.
Automotive businesses can also become targets for business email compromise (BEC) attacks, which affect organizations in all industries. BEC attacks social engineer businesses into sending large sums of money to attackers by posing as senior executives or external partners via compromised email accounts or by impersonating genuine people. BEC attackers typically compromise enterprise email accounts in spear-phishing attacks or with keystroke loggers. They typically use this access to lure other employees into sending money to them, or as a source of information on business processes with which to manipulate targets by other means. In one case, BEC attackers social engineered an exotic car dealership into sending $253,000 to them. The attackers compromised an email account, possibly via a malicious link in an email message, and used that access to alter the bank account details for a transaction.
Toyota Boshuku, a European subsidiary supplier of seats and interiors for Toyota vehicles, became the victim of an unusually large $37 million BEC attack in August 2019. The attacker social engineered a Toyota Boshuku employee into paying a fraudulently altered vendor invoice. Toyota raised the possibility of lowering its earnings projection for the year if it did not recover the unusually large sum of money that it lost in this attack.
Criminals often sell unauthorized access to enterprise networks, including those of automotive companies, to other criminals on underground criminal forums or black markets. The buyers of this unauthorized access can use it for a variety of malicious purposes, including the collection and sale of customer and employee data, or the deployment of ransomware.
IntSights coverage of a highly trusted underground forum for vetted Russian-speaking criminals revealed that the actor with username “pshmm” offered to sell unauthorized access to the networks of MG Motor India, the Indian subsidiary of the Chinese SAIC Motor Corporation, via Remote Monitoring and Management (RMM) software in September 2020. This unauthorized access would enable the buyer to access the domain controller, transfer files, issue commands, change firewall rules, and disable security software. The compromised network included 33 servers and more than 800 workstations. The price of this unauthorized access was $4,500 USD. The actor did not indicate how he had gained this unauthorized RMM access, but RMM software is typical for third-party managed service providers (MSPs), to whom other companies outsource IT operations. Compromises of MSPs have become a popular method for targeted attacks on enterprise networks, particularly with ransomware. Compromising one MSP grants unauthorized access to dozens or even hundreds of that company’s customers.
Compromised Automotive Intellectual Property and Competitive Intelligence
Vehicle manufacturers possess valuable intellectual property that threat actors, particularly those operating under state sponsorship, may seek to compromise. In the case of state-sponsored cyber espionage, a typical goal of such attacks is to use compromised foreign intellectual property to enable the companies of one’s own country (particularly state-owned enterprises) to emulate the products of foreign competitors and thus compete with them more effectively. In the case of the automotive industry, the compromise of proprietary designs or engineering schematics for vehicle models would be the primary objective of such attacks.
Another related objective for such attacks is the acquisition of competitive intelligence in support of state-owned enterprises or other businesses in one’s own country. Such intelligence could include details on marketing, distribution, or pricing plans and strategies that competitors could use against victims in the marketplace, or insights into business processes and best practices that competitors could emulate in order to improve their competitiveness.
State-sponsored Chinese cyber espionage groups are the most well-known examples of such activity as they are among the most prolific and aggressive in this regard. The state-sponsored cyber espionage groups of other countries also engage in such activities. The best-known example of a state-sponsored cyber espionage group targeting the automotive industry for such purposes is the Vietnamese APT32, AKA OceanLotus. The ostensible goal of these attacks is to encourage the growth and competitiveness of the Vietnamese automobile manufacturing startup VinFast. OceanLotus normally focuses on Southeast Asian targets but has expanded the geographic scope of its targeting in its attacks on foreign automotive companies.
In December 2019, APT32 targeted both BMW and Hyundai in similar attacks. The targeting of BMW is remarkable in that BMW is a supplier for VinFast and licensed its first two models. This incident serves as a reminder that state-sponsored threat actors are often willing to target allies and partners, not just adversaries and competitors.
The attack on BMW, which began in early 2019, was typical of APT32 in its abuse of the legitimate Cobalt Strike penetration testing platform, rather than proprietary malware. More sophisticated threat actors often abuse legitimate penetration testing tools or other software to reduce the likelihood of detection or the attribution of an attack to them specifically. The initial lure was a website spoofing that of BMW Thailand. BMW detected the attack in its earlier stages but allowed APT32 to continue it for months in order to gain insight into their activities. In connection with this incident, the German Association of the Automotive Industry (VDA) sent out a warning about APT32 targeting of the German automotive industry from the German Federal Office for the Protection of the Constitution
(BfV), which is analogous to the FBI.
Foreign governments are not the only threats to the trade secrets of automotive companies. Insider threats can also result in the compromise of automotive intellectual property and provide competitive intelligence to rivals. In 2018, Tesla sued a former employee whom it accused of installing malicious code on the workstations of other employees that he used to export data from Tesla’s network after he left the company in the hopes of falsely attributing the breach to those other employees. Tesla claimed that he provided this transferred data to unspecified “third parties.” The employee claimed in his defense that he was a whistleblower and sought to expose alleged safety issues at Tesla with this data.
Automotive companies and their partners can accidentally expose trade secrets via security misconfigurations. Reliance on vendors can also expose customers to weaknesses in their vendors’ security. In 2018, it emerged that a server misconfiguration at Level One Robotics, a Canadian provider of industrial automation services, exposed sensitive documents from several automotive companies, including GM, Chrysler, Ford, Tesla, Toyota, and VW. The 157 GB of exposed data included: assembly line schematics; factory floor plans; robotic blueprints and configurations; request forms for VPN access and ID badges; the personally identifiable information (PII) of Level One Robotics employees; and banking details for Level One. The rsync file transfer protocol, which enables backups of large amounts of data, had no restrictions on that server, enabling any rsync client connecting to the rsync port to download data.
Conclusion and Recommendations
The product security of the vehicles that automotive companies manufacture and sell is a key feature of their threat landscape, but car hacking is certainly not the only threat that the automotive industry faces. Automotive companies face network and information security threats similar to those that other organizations face, although the nature of their products influences the ways in which those threats manifest.
Automotive intellectual property and business strategies are valuable targets for foreign competitors, such as those in Vietnam that use cyber espionage to gain product and business advantages. Automotive companies can enhance their defenses for their intellectual property or other critical or high-value data with file encryption and network segmentation.
Automotive manufacturing and servicing operations and the supply chains on which they depend are vulnerable to disruption in ransomware attacks and, potentially, ICS malware attacks. The best defense against ransomware is a system of frequent, redundant, and segmented backups to enable restoration of files without paying ransoms. Paying ransoms is generally not advisable as ransomware operators are often unwilling or unable to restore files after receiving payment and may simply demand more money. An emergency plan to continue deliveries in the event of a disruptive security incident, like that of Gedia Automotive Group, can mitigate the consequences of supply chain disruptions resulting from such attacks.
Criminals target automotive companies for customer and employee data that they can use for a variety of malicious purposes, including identity theft, other forms of fraud, extortion, further intrusions, and BEC scams. File encryption and network segmentation can provide additional layers of protection for sensitive data. Security awareness training for employees can reduce the vulnerability of users to phishing attacks and other social engineering techniques that many actors use to gain initial network access in search of such data. Insider threat programs can enable organizations to detect and thwart malicious insiders. Security audits and penetration tests can reveal security misconfigurations and other gaps in defenses that attackers might use.
Adopting an advanced cyber threat intelligence (CTI) solution can help security teams stay one step ahead of threat actors targeting their organizations. Comprehensive CTI solutions continually monitor customers’ digital assets, like domains and leaked databases of company credentials, to proactively identify potential threats targeting them. Armed with knowledge of validated emerging threats, security decision makers can take action to take down these threats before they evolve into full-fledged cyberattacks that can devastate corporate networks and systems.