How did OceanLotus aka APT32 hack BMW? Read to know the complete story

The same group has also allegedly hacked the Korean carmaker Hyundai's computer network too

As predicted earlier, APT groups are doing big on large enterprises around the world. The latest report by German media house BW Recherche, German automakers BMW's computer network has been taken down by a group of hackers. The attack was allegedly executed in the spring of 2019 and the Munich based luxury car maker has taken down infected computers from its network.

The report explained, the alleged hacker group called OceanLotus were being watched by the IT security experts of BMW for months before the attack. The same hacker group has also allegedly hacked the Korean carmaker Hyundai's computer network too.

How did they do it?

Representative Image Reuters

For acquiring control of the BMW computer network, the APT group managed to install a tool dubbed Cobalt Strike. It lets the hackers spy on a computer or network and offers them to control the system remotely. To install the tool, OceanLotus developed a website disguised as the official BMW branch based out of Thailand and infected a computer via phishing emails.

Once they managed to compromise a system existing inside the BMW network, they looked around the net, scanned the file system and checked the users logged in into the network. The report claimed they continued to pry on the grid for months before launching the final attack.

Attacks stringed to Vietnam?

BW claims the attack style and the tools used gave hints that the hack has been executed by OceanLotus. They believe the hacker group works for Vietnam. But Cisco's Umbrella's official website claims the group doesn't work as as a state-sponsored hacker, instead, they have their own agenda behind the attacks.

The group has been doing the rounds since 2014, and primarily target enterprises and Government having networks in China, Philippines and Vietnam. Their victim list also includes South Asian countries like Singapore. However, the BW did not get any answers when they asked the Vietnamese Embassy regarding the links of OceanLotus with the Vietnamese Government.

The Payload

Like every other hacker groups, OceanLotus too has its own pattern of hacking mechanism. They primarily use weaponised attachments, meaning innocent-looking emails with attachments carrying malicious programs or links to download the same.

Another method they often use is the Watering hole attack, by using numerous fake installers which claim themselves as legitimate installer or updater of popular programs to install malware.

The Vendetta

BW claims the OceanLotus is leveraging attacks since years on many enterprises and poses as a rival or threat to the Vietnamese political interest.

In the summer of 2019, the German Association of Automobile Industries (VDA) has issued a warning email to its fellow members. The email mentioned, the Federal Office for the Protection of the Constitution has warned about possible cyber-attacks on German automobile companies.