By Omar Yang (Senior Threat Researcher, Automotive)
On the heels of the apparent cyberattack on CIE Automotive that we recently analyzed, a few more entities in the automotive supply chain, including manufacturers (OEMs) and suppliers, have fallen victim to sophisticated ransomware attacks in January 2024 alone. These cybersecurity incidents underscore the growing threat landscape and the diverse tactics employed by attackers.
A quick look at the incidents
In January 2024, Hyundai Motor Europe — the European division, headquartered in Germany, of the South Korean car manufacturer Hyundai Motor Company — experienced a security breach. The organization detected suspicious activities within its network, attributed to an intrusion. According to BleepingComputer, BlackBasta conducted the attack in early January, claiming to have stolen 3 terabytes of data from Hyundai Motor Europe. While BlackBasta emerged on the cybercrime scene only in 2022, the group is believed to be an offshoot of the notorious Conti, a ransomware group involved in numerous high-profile cyberattacks, demonstrating a sophisticated level of threat to organizations worldwide.
Asbury Automotive Group, a prominent car dealership chain in the US, fell victim to the Cactus ransomware group, also in January. The Cactus group, first identified in 2023, has been actively targeting entities within the automotive supply chain, as evidenced by its recent cyberattack on CIE Automotive, a prominent automotive parts supplier headquartered in Spain.
Furthermore, Jasman, a leading tire supplier based in Mexico, reported a cyberattack by the LockBit group last month. Lockbit’s operations are well-documented, with the group being known for aggressively pursuing financial extortion by exploiting vulnerabilities within corporate networks.
January’s string of automotive cybersecurity incidents suggests that ransomware incidents will continue to be on the rise, as we noted in VicOne’s automotive cybersecurity predictions and recommendations for 2024. These attacks also highlight a common pattern: Cybercriminals are exploiting weaknesses such as software vulnerabilities, misconfigurations, and phishing techniques to gain unauthorized access to their targets’ networks. The primary motivation behind these breaches appears to be financial gain, with ransomware groups taking advantage of the critical roles of their victims in the automotive supply chain to demand substantial ransoms.
Far-reaching impacts on the automotive industry
The objective of ransomware groups could extend beyond mere financial extortion: It encompasses a strategic interest in the sensitive data of their victims. This includes personally identifiable information (PII), financial records, and other credentials. While the encryption of such data disrupts access for legitimate users, potentially crippling business operations, threat actors often escalate their attacks by compromising the underlying infrastructure. This can lead to denial of service (DoS), further exacerbating the impact on the victims’ operations.
Moreover, these cyberattacks carry a significant risk of data exfiltration. Ransomware groups not only encrypt data but also steal it, leveraging the threat of public disclosure as an additional means to extort their victims. The implications of such breaches are particularly alarming in the automotive industry. Given the increasing interconnectivity of modern vehicles, the unauthorized disclosure of sensitive credentials could have dire consequences. Attackers could potentially exploit this information to gain remote access to connected cars, enabling them to unlock doors, start engines, or even take control of vehicle functions.
The security of interconnected vehicle systems is a growing concern, underscored by research demonstrating the feasibility of remote vehicle manipulation. With the correct credentials, malicious actors can execute commands from afar, posing a significant threat to vehicle safety and security. This scenario is not hypothetical; advancements in automotive technology, especially the integration of APIs for various functionalities, have made cars more vulnerable to such sophisticated cyberattacks.
Putting the brakes on ransomware incidents
As the automotive industry becomes increasingly connected, the focus of automotive cybersecurity goes beyond traditional IT systems. The interconnectedness means that a breach in the IT system can potentially impact vehicles on the road. In this context, solutions emphasizing on-board traffic monitoring, effective management of vulnerabilities, and robust security for cloud services, APIs, and endpoints become crucial. The potential for remote exploitation of vehicles, for example, highlights the urgent need for measures including secure credential management, enhanced data protection protocols, and comprehensive monitoring of vehicle system access.
Overall, these solutions represent a shift toward more integrated and responsive cybersecurity measures in the automotive industry, recognizing the unique challenges posed by the increasing connectivity and complexity of today’s connected vehicles.
To read more research on other possible vulnerabilities in connected vehicles and learn best security practices, visit our resource center.
