Protecting the Automotive Industry from APT Attacks in the Era of Industry 4.0

Introduction 介绍

The automotive industry has long attracted cyber threat groups due to its expansive reach, encompassing vehicle manufacturing technologies and critical operational infrastructures. As one of the largest global industries, the automotive sector offers cybercriminals lucrative opportunities for espionage and financial gain. Our analysis, drawing on public sources from January 2023 to February 2024, identified 30 cybersecurity incidents targeting various facets of the automotive industry, including suppliers, manufacturers, dealers, and integrators.
长期以来，汽车行业因其广泛的影响力而吸引了网络威胁组织，包括汽车制造技术和关键的运营基础设施。作为全球最大的行业之一，汽车行业为网络犯罪分子提供了有利可图的间谍活动和经济利益机会。我们的分析利用 2023 年 1 月至 2024 年 2 月的公开资源，确定了 30 起针对汽车行业各个方面的网络安全事件，包括供应商、制造商、经销商和集成商。

Predominantly, these incidents involved ransomware attacks by notorious groups such as LockBit, Black Basta, and Qilin, as illustrated in Figure 1. This data suggests that the attacks were financially motivated and indiscriminate in nature. Employing a double extortion strategy, attackers not only encrypted high-value files but also exfiltrated data, compounding the threat to targeted organizations.
这些事件主要涉及 LockBit、Black Basta 和 Qilin 等臭名昭著的组织的勒索软件攻击，如图 1 所示。这些数据表明，这些袭击是出于经济动机和不分青红皂白的性质。攻击者采用双重勒索策略，不仅加密高价值文件，还泄露数据，加剧了对目标组织的威胁。

It’s noteworthy that these threat actors often exploit widespread vulnerabilities, known as 1-day vulnerabilities, or employ social engineering tactics to breach the internal networks of their targets, proceeding directly to ransomware deployment. In these cases, keeping perimeter assets up-to-date and ensuring proper cybersecurity training can mitigate most attacks.
值得注意的是，这些威胁行为者经常利用广泛的漏洞（称为 1 天漏洞）或采用社会工程策略来破坏其目标的内部网络，直接进行勒索软件部署。在这些情况下，使外围资产保持最新状态并确保适当的网络安全培训可以缓解大多数攻击。

However, our findings also reveal six incidents outside the ransomware domain, involving Advanced Persistent Threat (APT) groups that deploy sophisticated tactics to infiltrate their targets. These incidents highlight the need for automotive companies to implement tailored defensive strategies, including the adoption of advanced threat detection and response measures, to effectively counter these more strategic threats.
然而，我们的研究结果还揭示了勒索软件领域之外的六起事件，涉及高级持续威胁 （APT） 组织，这些组织部署了复杂的策略来渗透其目标。这些事件凸显了汽车公司需要实施量身定制的防御策略，包括采用先进的威胁检测和响应措施，以有效应对这些更具战略性的威胁。

Figure 1: Ransomware Attacks on the Automotive Industry (January 2023 – February 2024)
图 1：针对汽车行业的勒索软件攻击（2023 年 1 月至 2024 年 2 月）

Understanding APT32’s Targeted Espionage in the Automotive Sector
了解 APT32 在汽车领域的有针对性的间谍活动

In the absence of forthcoming data from the victimized companies, our analysis will center on dissecting historical and seminal cyberattacks within the automotive sector. This examination of APT groups, such as APT32, sheds light on the resilience strategies employed by the automotive industry to fend off such sophisticated threats.
在缺乏受害公司即将公布的数据的情况下，我们的分析将集中在剖析汽车行业的历史和开创性网络攻击上。对 APT 组（如 APT32）的检查揭示了汽车行业为抵御此类复杂威胁而采用的弹性策略。

APT32, also known as the OceanLotus Group, demonstrated a marked preference for targeting the automotive industry in 2019, with the apparent aim of stealing trade secrets. This inclination is widely interpreted as an effort to bolster Vietnamese domestic automotive policies through clandestine means [1] [2] [3].
APT32，也被称为海洋莲花集团，在2019年表现出明显的针对汽车行业的偏好，其明显目的是窃取商业机密。这种倾向被广泛解释为通过秘密手段支持越南国内汽车政策的努力[1] [2] [3]。

Historically, APT32 has engaged in espionage against a broad spectrum of targets, including private sector entities, foreign governments, dissidents, and journalists. In a strategic pivot, the group has recently intensified its focus on the automotive sector, breaching networks of car manufacturers to exfiltrate automotive trade secrets—a primary objective of their campaign.
从历史上看，APT32 曾针对广泛的目标进行间谍活动，包括私营部门实体、外国政府、持不同政见者和记者。在战略支点中，该集团最近加强了对汽车行业的关注，破坏了汽车制造商的网络，以泄露汽车商业机密——这是他们活动的主要目标。

APT32’s modus operandi, which aligns with state-sponsored interests, incorporates a comprehensive array of tactics cataloged within the MITRE ATT&CK framework. To facilitate understanding, we’ve distilled their complex attack methodology into a simplified process, depicted in Figure 2.
APT32 的作案手法与国家支持的利益相一致，结合了 MITRE ATT&CK 框架中编目的一系列全面策略。为了便于理解，我们将其复杂的攻击方法提炼成一个简化的过程，如图 2 所示。

Figure 2: APT32 Attack Process Simplified
图 2：简化的 APT32 攻击过程

Strengthening Cybersecurity Across Windows, MacOS, and Linux
加强 Windows、MacOS 和 Linux 的网络安全

In the landscape of cybersecurity threats, APT groups stand out due to their highly targeted and sophisticated methods. Unlike the broad-brush approach typical of conventional ransomware attacks, APT groups, such as APT32, meticulously craft their attacks to exploit the unique vulnerabilities of their targets. This customization extends to the development of malware that seamlessly operates across various operating systems—Windows, MacOS, and Linux—underscoring the versatility and technical ingenuity of these threats.
在网络安全威胁领域，APT 组织因其高度针对性和复杂的方法而脱颖而出。与传统勒索软件攻击的典型粗略方法不同，APT32 等 APT 组织精心设计攻击以利用其目标的独特漏洞。这种定制扩展到在各种操作系统（Windows、MacOS 和 Linux）上无缝运行的恶意软件的开发，突出了这些威胁的多功能性和技术独创性。

A case study by Trend Micro unveils a particularly elaborate example of this approach: a backdoor specifically designed to infiltrate MacOS computers [4]. This backdoor is initially spread through a seemingly innocuous Word document containing malicious macros. Once a device is compromised, the malware ingeniously leverages native MacOS commands to pilfer data. In a further display of sophistication, it assigns a unique identifier to each infected machine by generating an MD5 hash from the outputs of specific MacOS commands. This method is not just about gathering data; it’s designed to slip past defense mechanisms by masquerading as legitimate traffic.
趨勢科技（Trend Micro）的一個案例研究揭示了這種方法的一個特別詳細的例子：一個專門設計的滲透MacOS電腦的後門[4]。此后门最初是通过包含恶意宏的看似无害的 Word 文档传播的。一旦设备遭到入侵，恶意软件就会巧妙地利用本机 MacOS 命令来窃取数据。为了进一步显示复杂性，它通过从特定 MacOS 命令的输出生成 MD5 哈希值，为每台受感染的机器分配一个唯一标识符。这种方法不仅仅是收集数据;它旨在通过伪装成合法流量来绕过防御机制。

Figure 3: Trend Micro Deobfuscated Perl Payload from the Delivery Document
图 3：Trend Micro 从交付文档中对 Perl 有效负载进行反混淆处理

With its diverse reliance on different operating systems based on project requirements, the automotive industry presents a broad attack surface for these APT groups. Employees in this sector may use Linux, Windows, or MacOS, each offering unique entry points for attackers. This diversity underscores a critical vulnerability: as APT groups enhance their malware, the risk of having internal networks of automotive companies penetrated increases significantly. Thus, it’s imperative for these companies to bolster their cybersecurity defenses across all operating systems with the equal vigor. Beyond mere attention to MacOS and Linux, there’s a pressing need for comprehensive Operational Technology (OT) visibility. Such a holistic approach is essential not only for detecting but also for effectively containing and neutralizing these threats.
由于汽车行业根据项目要求对不同操作系统的依赖程度各不相同，因此这些 APT 组织面临着广泛的攻击面。该部门的员工可能使用 Linux、Windows 或 MacOS，每个都为攻击者提供唯一的入口点。这种多样性凸显了一个关键的漏洞：随着 APT 组织增强其恶意软件，汽车公司内部网络被渗透的风险显着增加。因此，这些公司必须以同样的力度加强其在所有操作系统上的网络安全防御。除了关注 MacOS 和 Linux 之外，还迫切需要全面的运营技术 （OT） 可见性。这种整体方法不仅对于发现这些威胁至关重要，而且对于有效遏制和消除这些威胁也至关重要。

Cobalt Strike Deployed in the Target Network
部署在目标网络中的钴打击

In the shadowy realm of cyber threats, APT groups like APT32 have honed a particularly insidious technique: the deployment of Cobalt Strike beacons on the devices they compromise. This tool is not unique to APT32—other notorious groups such as Chimera, APT29, and Leviathan also utilize it for what’s known in the cyber world as ‘post-exploitation’ activities. Essentially, once they’ve breached a device, these beacons serve as their eyes and ears within the compromised system.
在网络威胁的阴暗领域， 像 APT32 这样的 APT 组织已经磨练了一种特别阴险的技术：在他们入侵的设备上部署 Cobalt Strike 信标.这个工具并不是 APT32 独有的——其他臭名昭著的组织，如 Chimera、APT29 和 Leviathan，也将其用于网络世界中所谓的“后开发”活动。从本质上讲， 一旦他们破坏了设备， 这些信标在受感染的系统中充当他们的眼睛和耳朵.

Cobalt Strike represents the pinnacle of malicious innovation. Marketed commercially as a comprehensive remote access toolkit, it offers attackers a broad spectrum of capabilities—ranging from discovering valuable data within the network, evading detection by security software, escalating their access privileges, to exfiltrating sensitive information. Its versatility is further underscored by its compatibility across Windows, MacOS, and Linux platforms. Figure 4 shows a sample of interacting with victim’s desktop [5].
Cobalt Strike 代表了恶意创新的巅峰之作。它作为全面的远程访问工具包在商业上销售，为攻击者提供了广泛的功能，包括发现网络中的有价值数据、逃避安全软件的检测、提升其访问权限以及泄露敏感信息。其跨 Windows、MacOS 和 Linux 平台的兼容性进一步强调了它的多功能性。图 4 显示了与受害者桌面交互的示例 [5]。

Figure 4: A Sample of Cobalt Strike Interactions with Victim’s Desktop
图 4：钴打击与受害者桌面交互的示例

When considering the automotive industry, a sector increasingly reliant on the integration of Information Technology (IT) and Operational Technology (OT) for automated manufacturing and cloud computing, the threat posed by tools like Cobalt Strike becomes particularly acute. The flexibility in operating systems used by employees—based on project needs—widens the potential attack surface [6]. This scenario underscores a critical challenge: as automotive companies advance towards more automated and flexible production processes [7] [8], their IT and OT environments become enticing targets for APT groups equipped with sophisticated tools like Cobalt Strike.
考虑到汽车行业，该行业越来越依赖信息技术 （IT） 和运营技术 （OT） 的集成来实现自动化制造和云计算，Cobalt Strike 等工具带来的威胁变得尤为严重。员工根据项目需求使用的操作系统具有灵活性，这扩大了潜在的攻击面[6]。这种情况凸显了一个关键挑战：随着汽车公司向更加自动化和灵活的生产流程迈进 [7] [8]，他们的 IT 和 OT 环境成为配备 Cobalt Strike 等复杂工具的 APT 团队的诱人目标。

Figure 5: Threat Groups Attack Scenario on Automotive Industry
图 5：汽车行业的威胁组织攻击场景

Imagine the automotive industry as a battlefield in the digital realm, where attackers and defenders are constantly evolving. Figure 5 shows an attack example that threat groups might have used for automotive industry targets. The first step in an attack, as illustrated in our example, involves the meticulous gathering of e-mail addresses from potential targets within the automotive sector. Attackers then cunningly utilize popular cloud storage services like Dropbox, Amazon S3, and Google Drive to host their malicious tools—a common tactic among APT groups. These groups often initiate their incursion through two primary methods: drive-by compromises, which trick users into downloading malware by merely visiting a compromised website, or spearphishing emails, which are tailored messages designed to deceive recipients into opening harmful attachments or links.
将汽车行业想象成数字领域的战场，攻击者和防御者在不断发展。图 5 显示了威胁组织可能用于汽车行业目标的攻击示例。正如我们的示例所示，攻击的第一步涉及从汽车行业的潜在目标那里精心收集电子邮件地址。然后，攻击者狡猾地利用 Dropbox、Amazon S3 和 Google Drive 等流行的云存储服务来托管他们的恶意工具——这是 APT 组织的常见策略。这些组织通常通过两种主要方法发起入侵：偷渡式入侵，仅通过访问受感染的网站来诱骗用户下载恶意软件，或鱼叉式网络钓鱼电子邮件，这是旨在欺骗收件人打开有害附件或链接的定制消息。

In more sophisticated attacks, often at the level of nation-state sponsored APTs, zero-day vulnerabilities—previously unknown software flaws—may be exploited, particularly in high-stakes targets like the energy sector. Once an unsuspecting employee inadvertently introduces malware into their system, the stage is set for the attackers to deploy Cobalt Strike beacons. These beacons are not just tools for establishing a foothold; they are Swiss Army knives for cyber criminals, capable of exploiting vulnerabilities, disguising malicious files, pilfering data, and communicating with a command-and-control (C&C) server to receive further instructions.
在更复杂的攻击中，通常是在民族国家赞助的APT层面，零日漏洞（以前未知的软件缺陷）可能会被利用，特别是在能源部门等高风险目标中。一旦毫无戒心的员工无意中将恶意软件引入他们的系统，攻击者就可以部署 Cobalt Strike 信标。这些信标不仅仅是建立立足点的工具;它们是用于网络犯罪分子的瑞士军刀，能够利用漏洞、伪装恶意文件、窃取数据以及与命令和控制 （C&C） 服务器通信以接收进一步的指令。

The ultimate prize for these attackers often includes automotive trade secrets and intellectual property, valuable assets that can provide competitive advantages or be sold for a high price on the dark web. The situation escalates when attackers manage to move laterally within a company’s network, eventually compromising critical systems that control automated manufacturing processes. The ramifications of such breaches can be catastrophic, leading not just to the loss of sensitive information but potentially bringing production lines to a standstill.
这些攻击者的最终奖品通常包括汽车商业机密和知识产权，这些宝贵的资产可以提供竞争优势或在暗网上以高价出售。当攻击者设法在公司网络内横向移动时，情况就会升级，最终危及控制自动化制造过程的关键系统。此类违规行为的后果可能是灾难性的，不仅会导致敏感信息丢失，还可能导致生产线停顿。

Research by TXOne Networks sheds light on the multifaceted cyber threats facing automotive factories and underscores the significant financial and operational risks associated with such security breaches. These findings serve as a stark reminder of the need for robust cybersecurity measures in an industry increasingly reliant on digital technologies and interconnected systems.
TXOne Networks的研究揭示了汽车工厂面临的多方面网络威胁，并强调了与此类安全漏洞相关的重大财务和运营风险。这些发现清楚地提醒我们，在一个越来越依赖数字技术和互联系统的行业中，需要采取强有力的网络安全措施。

Conclusion 结论

In the last 30 cybersecurity incidents affecting the automotive industry from January 2023 to February 2024, we’ve observed that the majority were random ransomware attacks. However, there were 6 incidents that didn’t involve ransomware, some of which even resulted in production stoppages.
在 2023 年 1 月至 2024 年 2 月影响汽车行业的最近 30 起网络安全事件中，我们观察到大多数是随机勒索软件攻击。但是，有 6 起事件不涉及勒索软件，其中一些甚至导致停产。

Compared to random ransomware attacks, Advanced Persistent Threat (APT) attacks often employ sophisticated strategies to compromise their targets. These attackers not only conduct extensive reconnaissance on their targets but also use advanced tools like Cobalt Strike for in-depth post-exploitation activities, posing a significant risk to production continuity and the security of intellectual property.
与随机勒索软件攻击相比，高级持续威胁 （APT） 攻击通常采用复杂的策略来破坏其目标。这些攻击者不仅对目标进行广泛侦察，还使用 Cobalt Strike 等先进工具进行深入的开采后活动，对生产连续性和知识产权安全构成重大风险。

With the automotive industry embracing Industry 4.0, the integration of IT and Operational Technology (OT) environments is becoming increasingly common. When IT environments are targeted by state-sponsored APT attacks, even regulated OT environments can be at risk of lateral movement attacks. It is well-known that if threat actors gain access to the OT environment, they can disrupt production lines. Stealing trade secrets and intellectual property is also a primary objective for these attackers.
随着汽车行业拥抱工业 4.0，IT 和运营技术 （OT） 环境的集成变得越来越普遍。当 IT 环境成为国家支持的 APT 攻击的目标时，即使是受监管的 OT 环境也可能面临横向移动攻击的风险。众所周知，如果威胁行为者获得对 OT 环境的访问权限，他们可能会破坏生产线。窃取商业机密和知识产权也是这些攻击者的主要目标。

The possibility of threat actors penetrating OT systems and disrupting manufacturing processes highlights the need for a strong defense strategy. Automotive companies need to expand their cybersecurity measures to include not just Windows but also MacOS and Linux systems, ensuring comprehensive protection of all digital assets. Protecting OT environments is equally crucial, necessitating an awareness of their vulnerability to compromise. Adopting a “never trust, always verify” mindset is essential. This zero-trust approach requires strict verification of all users, devices, and processes, with access denied by default until legitimacy is established.
威胁行为者渗透 OT 系统并破坏制造流程的可能性凸显了对强大防御策略的需求。汽车公司需要扩大其网络安全措施，不仅包括 Windows，还包括 MacOS 和 Linux 系统，确保全面保护所有数字资产。保护 OT 环境同样重要，需要了解其易受攻击性。采取“永不信任，始终验证”的心态至关重要。这种零信任方法需要对所有用户、设备和进程进行严格验证，默认情况下会拒绝访问，直到建立合法性。

To effectively counter these complex threats, automotive firms must thoroughly understand and monitor their OT networks. By adopting a proactive approach, they can identify and neutralize potential cyber threats before they cause damage, ensuring the industry’s progress and the protection of its valuable assets.
为了有效应对这些复杂的威胁，汽车公司必须彻底了解和监控其OT网络。通过采取积极主动的方法，他们可以在潜在的网络威胁造成损害之前识别和消除它们，确保行业的进步并保护其宝贵的资产。

Reference 参考

[1] Julia Sowells, “Yet Again! Cyber Attack on Toyota Car Maker – Data breach”, HackerCombat, April 2, 2019.
[1] 朱莉娅·索威尔斯（Julia Sowells），“又一次！对丰田汽车制造商的网络攻击 – 数据泄露“，HackerCombat，2019 年 4 月 2 日。

[2] Kayla Matthews, “Incident of the week: Toyota’s second data breach affects millions of drivers”, Cyber Security Hub, August 29, 2023.
[2] 凯拉·马修斯（Kayla Matthews），“本周事件：丰田的第二次数据泄露影响了数百万司机”，网络安全中心，2023 年 8 月 29 日。

[3] LIFARS, “APT32 in the Networks of BMW and Hyundai”, LIFARS, December 21, 2019.
[3] LIFARS，“宝马和现代网络中的 APT32”，LIFARS，2019 年 12 月 21 日。

[4] Jaromir Horejsi, “New MacOS backdoor linked to OceanLotus found”, Trend Micro, April 4, 2018.
[4] Jaromir Horejsi，“发现链接到 OceanLotus 的新 MacOS 后门”，趋势科技，2018 年 4 月 4 日。

[5] Fortra, “Screenshots | Cobalt Strike”, Fortra, July 25, 2023.
[5] Fortra，“屏幕截图 |钴罢工“，Fortra，2023 年 7 月 25 日。

[6] Kevin Bostic, “BMW to deploy iPads and mimic Apple Genius program to serve customers”, AppleInsider, February 11, 2013.
[6] 凯文·博斯蒂克（Kevin Bostic），“宝马部署iPad并模仿Apple Genius计划来服务客户”，AppleInsider，2013年2月11日。

[7] Robbie Dickson, “How Industry 4.0 could Revolutionizing EV Manufacturing”, Firgelli Automations, July 5, 2023.
[7] Robbie Dickson，“工业 4.0 如何彻底改变电动汽车制造”，Firgelli Automations，2023 年 7 月 5 日。

[8] Amazon Web Services, “Volkswagen Takes Production to the Cloud”, Amazon Web Services, Accessed March 15, 2024.
[8] 亚马逊网络服务，“大众汽车将生产带到云端”，亚马逊网络服务，2024 年 3 月 15 日访问。