Cybercriminals are recognizing that the data that automotive companies have to offer – from customer and employee personal identifiable information (PII) to financial data – is invaluable.
Recently, one attacker installed a keystroke logger on the workstation of a car dealership’s finance specialist, to obtain their credentials and access customer credit reports. Another launched a ransomware attack on Toyota Australia, leading to delays in servicing and disruption in the supply of parts.
Paul Prudhomme, cyber-threat intelligence analyst at IntSights, warned in new Thursday research that automotive cyberattacks are on the rise – whether they’re aimed at intellectual property (IP) theft or bent on delivering ransomware. And, with the ongoing pandemic shaking up both the sales and supply chain across the automotive industry, the risks of cyberthreats are only adding on to an existing pile of problems.
Listen to this week’s Threatpost podcast episode with Prudhomme, to learn more about the threat landscape for automotive companies.
Below find a lightly-edited transcript of this podcast.
Lindsey O’Donnell-Welch: Welcome back to the Threatpost podcast, everybody. This is your host, Lindsey O’Donnell-Welch and we are going to be talking today about automotive manufacturer and company security, and specifically the threat landscape for automotive companies. So joining me today is Paul Proudhomme, who is the cyber security intelligence analyst with IntSights, and he has done some research into the security threats that are facing auto companies. So Paul, thank you so much for joining us today.
Paul Prudhomme: Thank you for having me.
LO: Paul. Just to start, can you tell us a little bit about yourself and how, in particular, you became interested in this topic around automotive cybersecurity?
PP: Okay. Well, I’ve been in the commercial cyber threat intelligence industry for a couple of years now, with with various vendors, I just joined the IntSights team recently, and I’m very happy to be here. So, and before getting into the commercial cyber threat intelligence business, I was a contractor in the U.S. intelligence community, where I also dealt with cyber issues, not cyber intelligence, per se, but intelligence in cyberspace, let’s say. So, to the second part of your question, as for automotive security, well, we do have a fair amount of customers in the automotive space. So we thought it was important to cover this topic, we do see quite a bit of coverage, specifically, of threats to automotive products. In other words, car hacking, to put it loosely. This is obviously an issue with the security of the products that automotive security companies produce, we wanted to shift the discussion a bit and cover another aspect of the threat landscape that has not gotten going quite as much coverage: information and network security threats to the companies themselves, and not so much to the cars and other products that they produce. Obviously, the idea of, you know, somebody to hack into a car and steal it, or cause it to have an accident, whenever they see something like that, that gets a lot of attention. But there are some sort of more, mundane and prosaic types of threats that could happen to automotive companies, just like any other companies in any other industry.
LO: That’s that’s a really good point. I feel like there is a lot of hype around kind of hacking vehicles and rightly so because we’re seeing this increase in vulnerable in-vehicle infotainment systems and the increase of Bluetooth and all these new vulnerabilities. But when you look at it through the eyes of cyber criminals, I feel like the low hanging fruit isn’t so much the the vehicles themselves, but more ransomware attacks and compromising customer data, and employee data. Just to kind of set the context here, can you talk a little bit about why these types of attacks stick out to you as something that are important that we really need to shed light on?
PP: Well, there’s a couple different aspects to it. And it’s a there’s three main trends or patterns within attacks on the automotive industry other than actual car hacking. One is the theft of intellectual property, and the collection of competitive intelligence. This is the type of thing that you would normally associate, particularly, with Chinese state sponsored actors. But in the case of the automotive industry, it’s actually Vietnam that seems to be the most aggressive and prolific player, specifically the group known as APT32, or Ocean Lotus, which is targeted foreign car manufacturers. The goal here apparently, is to support VinFast, which is a Vietnamese automotive startup. So it’s not, you know, there’s economic competition there. They’re trying to make their Vietnamese car product more competitive, relative to the automotive industries of other companies, trying to get a leg up either stealing things like intellectual property, things like designs, engineering schematics, or to try to find out their their marketing and pricing strategies to get a leg up against them in the market. So that’s, I think, one of the most interesting and one of the most sophisticated threats out there.
There’s also ransomware, of course, which is a threat to almost every industry, anybody that has a computer. We’ve seen a number of car manufacturers and car dealerships that have been hit with ransomware attacks. And this can of course, disrupt manufacturing operations as the manufacturers, and it can also disrupt supply chains and servicing operations if the second tier suppliers and car manufacturers get hit. In other words, the car manufacturers can’t manufacture cars, if they don’t have the parts, because the part characters have a ransomware infection. And as sort of an add-on to that we have been seeing in our coverage of underground criminal communities, that there have been data disclosure components to these ransomware attacks as well. In other words, they don’t just encrypt your files and hold them for ransom. They also threaten to – and often do – release whatever compromised data they collected during the attack. Now, this has been a trend across all the various industries. But we have been seeing that quite a bit with automotive companies as well. And in our report, we do have documentation of that. And then third, and finally, there is of course, the theft of consumer and also employee data that could be used for any number of fraudulent or other malicious purposes, like identity theft, and account takeovers. Just like any other company, car companies do have PII, or personally identifiable information, on customers. And that information can be used for fraud, just as they could use information from banks, healthcare organizations, and so on. The automotive companies might not be the first place that you would think to look to look, but it is there. So there’s that too. So I’d say those three – intellectual property ransomware and customer data – those are the three big issue areas outside of car hacking.
LO: Right, right. And, you know, these are definitely big issues facing this industry in normal times. But then all of this is on top of the current pandemic, that’s in full swing right now. And I’m sure that automotive manufacturers are really kind of already feeling a hit in terms of car sales and disruption to the supply chain, and on top of these existing issues as well. So that’s a component there to consider, too.
PP: Yes. And speaking of supply chain disruptions, which obviously, you mentioned the effect that pandemic has had on that, obviously, that’s affecting, you know, all industries in one way or another, some, some more than others. I will say there are some incidents, not during the pandemic, but before that, that do sort of speak to this issue. For example, supplier issues, where supplier gets hit with ransomware. This happened in September and October of last year to Subaru of Indiana automotive and Heartland automotive. Obviously, getting in Indiana, there’s, you know, a fair amount of manufacturing there and they had to shut down, not because they got hit, but because their supplier got hit. There was another case earlier this year, before the pandemic, where the GEDIA Automotive Group in Germany, they also got hit with REvil ransomware, also known as Sodinokibi. So they produce lightweight parts for cars. They had to shut down that and obviously any car manufacturer that is dependent on that company for parts, would have some disruption to its operations, even if the ransomware attack did not affect them directly. Fortunately, this company did have an emergency plan. So they were able to mitigate the disruption to their operations, although they could not prevent it entirely. So yes supply chain disruptions are one potential implication of ransomware attacks.
LO: Right. Right. And I know that you highlighted those incidents in your research and there was one other – I think it was Toyota Australia saw delays and servicing and disruption of supply parts as well, due to ransomware – it’s really important to look at this piece of ransomware attacks as well kind of what it means for not not just in terms of customer data, which is important, but also what it means if the manufacturing part of the company is affected as well and really how that could affect industrial control systems and critical infrastructure and it really has an impact that is kind of waving out for a long time in terms of what that means for cost and for product rollout and things like that. What were you seeing there in terms of what this meant for manufacturers in the long term when they’re hit with these types of attacks?
PP: So you said the magic word: ICS. Like any manufacturer, car manufacturers might have, yeah, will have a fair amount of ICS for assembly lines, and as part of their broader manufacturing operations. So the question I asked myself when I started researching this is, are there any examples of a car manufacturer suffering an ICS malware infection. I could not find any clearly identifiable examples. However, in June of this year, Honda had a experienced a ransomware attack in Japan with the version of the Snake ransomware, also known as EKANS ransomware. In other words, “Snake” backwards. So Snake is a little different from from traditional ransomware families in that it can actually target some ICS processes and terminate them. Now, it’s not it’s not clear if this particular attack actually targeted any Honda’s ICS processes.
That’s a very interesting question that I would personally like an answer to. Because that that would, I think, be a groundbreaking incident if that were the case.
LO: Beyond you know, ransomware, that’s impacting supply chain and whatnot. And obviously, there is a lot of data there that if accessed by cyber criminals, it can be detrimental to customers, right? I mean, can you talk a little bit about the type of customer data you mentioned before, PII, but there’s there’s a lot there as well, in terms of finances and credit lines and bank accounts, as well. What kind of data is is at stake here? And what does it mean, if cyber criminals are able to ultimately get their hands on this type of data? What kind of subsequent attacks can they launch then?
PP: So you said another magic word: finance. So yeah, obviously, some of the most mission critical data for identity thieves and other fraudsters are things like dates of birth, social security numbers, and other types of information that you would use an application for, let’s say, a car loan, or some sort of other major financial transaction. So when you go to buy a car, and you get financing, through the dealership, that type of information can be extremely useful. And just for the same reason that let’s say, you know, healthcare records are valuable, because they have so many details that could be used for fraud. But when you have something that that’s being used in a financial context like that, like a car loan, that can be just as useful.
Similar to that you can even, for example, the dealerships would have accounts at the credit bureaus that they will use to do credit checks of prospective buyers, I did find a case, where were a car dealership’s workstation was compromised with a keystroke logger. And then they use that to click the credentials that the car dealership was using to get credit reports. So then they use those credentials to get credit reports on customers fraudulently. Obviously, the credit bureau found out about this, they were not happy about this. The car dealership had to investigate and resolve the breach at a cost of $150,000. And they had to go through an annual security audit for the next five years. So there were some pretty substantial consequences to that.
LO: Yeah, that’s definitely kind of long standing impact there for them. Actually, I thought that incident in particular that you outlined in your research was was interesting about the keylogger being implemented on the workstation and then being able to obtain customer credit reports from the credit bureau. And you also looked at everything from ransomware to BEC attacks and kind of shed light on some of these specific incidents that were hitting companies. Can you tell us you know about a security incident that really stuck out to you when it comes to cyber criminals raising the bar using new, interesting tricks or tactics or taking it to the next level.
PP: Maybe not in terms of technical sophistication. But let’s say in terms of the audacity, there was an attempted ransomware attack on Tesla, that came to light earlier this year that they had, this group of Russian ransomware operators approached a Russian who was working at Tesla. And they offered him first a half million dollars, and then a million dollars, to serve as the insider to enable a ransomware attack. Just the the audacity of doing this, that first of all, that they actually sent somebody to the U.S., you know, put it in within reach of U.S. law enforcement and offered him a very large amount of money, which says to me that they were very confident that they could get a large ransom from Tesla. And even then, that they would conduct the attack in such a way as to blame another employee that the Russian employee did not like. And then they would distract Tesla security teams with a DDoS attack before they actually deployed the ransomware. So I mean, the technology here wasn’t anything particularly sophisticated or distinctive. But the the audacity here really jumped out at me. And it also just highlights the role of insider threats, which also did come up again, actually, Tesla, they sued a former employee in 2018, saying he left some malicious code on their network, and then also did it in such a way that he was trying to blame another employee he didn’t like. So insider threats did come up quite a bit. And I think this what this potential incident with Tesla just demonstrates how, how ambitious one can be with that kind of access.
LO: Right. I think that said that they did have quite the audacity to a lot try to launch that type of attack. I think that does kind of bring up a really good point, which is this concept of insider threats, whether it’s a incident like the one you just described, where, you know, it’s external actors seeking out a potential malicious Insider, and trying to convince them to kind of do their bidding, or if it’s, you know, more non malicious, like a security misconfigured or something along those lines too. I’m curious what you’re seeing there, in terms of these insider tape threats when it comes to this industry.
PP: So, yeah, there’s the insider threat example, I mentioned earlier. Security misconfigurations are something I would normally not consider a threat, per se. I mean, it’s not somebody actively trying to do that. It’s just, hones mistakes or oversights. But in the course of doing this research, I found so many examples of security misconfigurations in automotive companies that I thought it was important to treat this as its own issue. Not sure I want to name names here, but there was one well-known automotive manufacturer in particular, that showed up repeatedly, over the course of like a year and a half or so. I would have thought that, in bringing these things to light would have would have motivated them to fix these problems. But apparently, it didn’t. I will say that ElasticSearch databases, in particular, seem to be a common place for these types of oversights to occur, just judging by the the research that has been published in the past.
LO: I think that’s definitely something we see across all industries as well. But I’m sure that the implications with this industry in particular, are critical. Before we wrap up, I wanted to ask you, looking out to 2021, do you see any future security risks or threats that automotive companies should be on the lookout for, as well as, do you have any suggestions for these companies to better kind of bolster their security measures?
PP: This trend of ransomware operators, threatening to disclose data and then actually disclosing it.
This has been building momentum for some time. But I think it is increasingly becoming the norm and probably will become the norm if not next year, certainly in the future. So obviously, you know, spend nothing to encrypt your files, but then when they disclose it to the whole world, and cause reputational damage and possibly financial damage to you, to your company, and to your customers, and vendors and other partners and so on. So, you know, they say that, well, the traditional reasoning has been that the best defense against ransomware is to have good backups. So as to reduce the pressure to pay the ransom. But when you add another component to it, disclosing the data and not just encrypting it, that just that that complicates things. So the best thing you can do is, of course, segmenting the most sensitive data that you have from the rest of the network, in the hopes that maybe the ransomware operators won’t be able to move to it laterally. And then of course, encrypting any of the most sensitive files that are out there. So that they won’t be of any use anybody that manages to get a copy of that. There are obviously, you know, security audits, I think, are important and penetration testing, and given the number of security examples of security misconfigurations that I found. And then of course, security awareness training for employees, making them aware of things like phishing attacks, and business email compromises. All the technology in the world isn’t going to do any good if your employees let the attackers in through the backdoor. So human awareness, patching human vulnerabilities is critical.
LO: Paul, thanks. You know so much for coming on to the podcast today to talk more about the security threats that are facing automotive companies.
PP: Thank you.
LO: Great. And once again, this is Lindsay O’Donnell Welch here today, talking with Paul Prudhomme with IntSights. If you have your own comments or thoughts on security issues that are plaguing the auto industry, feel free to reach out to us on our Twitter page @threatpost and drop us a note. Thank you for tuning in to the Threatpost podcast.
Also, check out our podcast microsite, where we go beyond the headlines on the latest news.