OceanLotus APT Breaches BMW and Hyundai

Delaware, USA – December 9, 2019 – Since at least the spring of 2019, the Vietnamese APT group has had access to the networks of the German manufacturer BMW – Bayerischer Rundfunk reports. The fact of compromise became known when the security team discovered the Cobalt Strike penetration testing tool on the company’s computers, which has been actively used by cybercriminals during attacks in recent years. After the intrusion was discovered, the experts decided to track the APT group’s activity and find out more information: how many systems they managed to compromise and what data they needed. The BMW security team monitored attackers’ actions for several months before cleaning compromised computers and blocking the Ocean Lotus group from accessing the network. According to experts, the attackers could not gain access to sensitive information or BMW headquarters computers.

Bayerischer Rundfunk informed that the network of South Korean automotive giant Hyundai has also been targeted during this campaign. Hyundai declined to provide any comments regarding the incident. The tools and techniques used by the group during the attacks point to the Vietnamese advanced threat actor OceanLotus (also known as APT32 or Cobalt Kitty). The group has been active for about four years, and this spring added automotive companies to its target list. Experts link this to the growth of VinFast startup, and they suggest that the Vietnamese government is attempting to steal intellectual property to use it in the startup’s projects.
You can explore other techniques and tools used by OceanLotus group, as well as find content for their detection in the Threat Detection Marketplace: https://tdm.socprime.com/att-ck/