FireEye Stories

Cyber Threats to the European Automotive Industry Part Two: Cyber Espionage Campaigns

The automotive industry is characteristically innovative. Cars are being upgraded on a daily basis. With the industry being influenced by many technologies—computer, information security, communication, network and encryption—the importance of cyber security will continue to escalate with the pace of globalization and communications. As vehicles become increasingly complex and more connected to the Internet, they are also becoming more vulnerable to cyber attacks.

The cyber risks faced by automotive companies can include:

  • Reputation and brand damage
  • Potential license issues
  • Loss of supplier and existing customer faith
  • Financial penalties
  • Loss or corruption of contact data
  • Legal costs
  • Breaking the supply chain and disrupting partners
  • Failed service-level agreements
  • Potential lost revenue
  • Lost opportunities due to reduced company valuation
  • Lost potential customers
  • Share depreciation
  • Additional vendor costs associated with remediation

Cyber espionage is a large threat to vehicle development, production and delivery; as the industry is highly competitive, not just between different manufacturers but also different countries, there is a huge drive towards new technologies and innovation. FireEye has most often observed cyber espionage activity targeting the automotive industry from groups linked to China, but also found activity from North Korean and suspected Vietnam-linked groups. These state-sponsored threat actors’ goal is to steal information from vehicle manufacturers—certainly any kind of innovative research but also development and intellectual property information that could provide any kind of advantage.

Nation state attackers may also target the automotive industry in order to get information on new technologies that are being developed for military purposes. Stealing intellectual property isn’t new. But targeting automotive constructors (F1 teams could be included here) could provide nation state adversaries with a raft of information developed for governments or militaries, including autonomous vehicle systems, artificial intelligence, sensor detail and even deployment.

In the past, the focus of cyber espionage activity in the auto sector has mainly been directed at research and development data from automobile manufacturers, with hacker groups particularly active in spying out the technical advances of Western manufacturers and using them for their own economic development. More recently, operational data and processes have also been targeted. Due to progressive modernization and digitization, artificial intelligence data for autonomous driving and the development of powerful batteries have also been in the focus of hackers. In all cases, the stolen information can cause significant damage to the originating company.

The whole industry is a mass of wealth for cyber actors seeking financial gain, economic gain, potentially cyber warfare and economic disruption and competitive advantage. Researchers have seen intrusions in the automotive industry across Europe over the past few years, mainly from Chinese attackers. Additional activity has also been seen from North Korea and Vietnam.

Vietnamese “state-aligned” group APT32 is targeting foreign automotive companies in activity that appears intended to support the country’s vehicle manufacturing goals. FireEye has seen APT32 activity accelerating since February 2019; these operations don’t appear to be aimed at acquiring intellectual property; rather, they seem to be looking for corporate operational information.

The group has targeted security, technology infrastructure and consultancy companies, and political activists. While attackers from China, Iran, Russia, and North Korea remain the most active cyber espionage state sponsors tracked by FireEye, groups such as APT32 represent a growing number of new countries involved in such activities.

Suppliers and other third-party vendors are also targeted by actors seeking information about the automotive sector. Sometimes illogically, they can be low hanging fruit for the cyber threat actor and are under attack to compromise additional systems up the supply chain in order to gain access the targets’ primary networks. Whether or not access is gained through third parties or directly, a manufacturer could be presented with a range of malevolent actions, which, of course, could include espionage, data theft, process disruption or vehicles system compromise.

The safety of the network is critical and therefore, it is imperative to have an advanced technological strategy. Authentication can be a big failing in security. Operations need to be able to authenticate the network identities. As security threats continue to evolve, most organizations still remain reliant on reactive, technology-based security solutions to protect their most valuable assets. Technology alone does not fully protect against a determined attacker and it is difficult and costly to find, hire, train and retain security experts, especially those who specialize in finding covert threats.

It’s advisable to monitor your network around the clock with a proactive, analyst-driven approach leveraging the latest threat intelligence cultivated from experience. Managed detection and response combine industry-recognized cyber security expertise, cyber technology and an unparalleled knowledge of attackers to help minimize the impact of a breach. Specialist cyber security professionals can continuously monitor global cyber threats and harnesses machine, campaign, adversary and victim intelligence gained on the front lines of the world’s most consequential cyber attacks.

FireEye offers a full range of products and services that help our customers understand evolving attacker motivations and methodologies. Powered by industry-recognised expertise and nation-state grade threat intelligence sourced from machine, adversary, campaign and victim intelligence, FireEye enables smarter decision-making to help organizations outmanoeuvre their attackers.

Our clients benefit from our intelligence-led, technology enabled services such as rapid incident response services to minimize the impact of compromise, and security assessments, enhancement and transformation services to minimize risk through informed decision-making and improved security posture.