Cyber Incident Victim: BMW
Date:
Dec 2019
Location:
Viet Nam
Summary
Vietnamese government-linked hackers, known as APT32 or Ocean Lotus, breached automotive manufacturers BMW and Hyundai, deploying the Cobalt Strike penetration toolkit to establish network backdoors. The attackers reportedly maintained access within BMW's systems for an extended period before being detected and expelled; Hyundai's intrusion lacked specific details. The group has a history of targeting the automotive sector, including prior attacks on Toyota subsidiaries, with suspected motives of economic espionage to benefit Vietnam's state-supported automotive industry, particularly the emerging manufacturer VinFast. The incidents reflect a broader pattern of state-aligned cyber operations aimed at intellectual property theft for competitive industrial advantage.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In spring 2019, hackers suspected of ties to the Vietnamese government breached the network of a BMW branch. The attackers deployed the penetration testing toolkit Cobalt Strike on compromised hosts, establishing a persistent backdoor within BMW's infrastructure. BMW reportedly detected the intrusion and opted to monitor the attackers' activities rather than immediately eject them from the network. This surveillance continued until late November 2019, when BMW severed the hackers' access. The same threat actor also breached Hyundai's networks, though specific details regarding the Hyundai intrusion’s timeline, methods, or impacted systems were not disclosed in available reports. Neither BMW nor Hyundai provided official comments confirming or denying the incidents when approached by media outlets, including Bayerischer Rundfunk, Tagesschau, and ZDNet.
Security researchers attributed the intrusions to APT32 (also known as Ocean Lotus), a group allegedly conducting cyberespionage operations on behalf of Vietnam since at least 2014. APT32 had previously targeted foreign corporations operating in Southeast Asia but shifted focus to the automotive sector starting in 2017. Prior to the BMW and Hyundai incidents, the group was linked to breaches at Toyota Australia, Toyota Japan, and Toyota Vietnam. Analysts speculated that the Vietnamese government employed APT32 to steal intellectual property from automotive manufacturers, mirroring tactics historically associated with Chinese state-sponsored economic espionage. This activity aligned with Vietnam’s strategic interest in bolstering its domestic automotive industry, notably through VinFast, a state-supported startup that began vehicle production in 2019. The BMW breach demonstrated APT32’s continued reliance on established tools like Cobalt Strike for maintaining network access, while Hyundai’s involvement indicated a broader campaign against multiple automotive entities. No specific technical details regarding data exfiltration, financial losses, or operational disruptions were publicly confirmed by the affected organizations.