The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the automotive industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the automotive industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting automotive organizations.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.
Over the past 90 days, the Automotive Industry featured in 2 out of the 11 observed campaigns, a presence in 18% of all campaigns. It is one more than the previous 90 days, a decline in the overall share from 25% (1 out of 4).
The campaigns were observed during April and May, respectively.
Observed campaigns were carried out by Russian cybercrime syndicate FIN11 and a Chinese Ministry of State Security-linked group with overlapping TTPs pointing towards Salt Typhoon and Stone Panda.
Countries with recorded victims align strongly with known automotive powerhouses. Most are included in both of the observed campaigns.
Both campaigns targeted web applications and operating systems. The Chinese campaign also attacked routers and network monitoring tools.
Over the past 90 days, the automotive industry has not been significantly affected by advanced persistent threat (APT) campaigns.
Out of the 11 observed APT campaigns, only two targeted this industry, representing 18% of the observed campaigns. This is an increase from the previous 90-day period, during which only one campaign targeted this industry.
Monthly Trends
The observed campaigns were active during April and May.
Key Threat Actors
The campaigns were carried out by Russian cybercrime syndicate FIN11 and groups linked to the Chinese Ministry of State Security (MSS). The techniques used in these campaigns are overlapping and suggest a connection to Stone Panda and Salt Typhoon.
Geographical Impact
Both campaigns focused on strong automotive economies, with Asian countries being more prevalent than Europe.
Targeted Technologies
Both campaigns targeted web applications and operating systems. The Chinese campaign also targeted routers and network monitoring tools.
Over the past three months, CYFIRMA’s telemetry has identified 531 mentions of the automotive industry out of a total of 57,025 industry mentions. This is from a total of 300k+ posts across various underground and dark web channels and forums.
The automotive industry placed 14th out of 14 industries in the last 90 days with a share of 0.93% of all detected industry-linked chatter. Important to note is the narrow scope of the automotive industry category.
Below is a breakdown of 30-day periods of all mentions.
Data Leaks and Data Breaches are the most common category of recorded chatter for this industry. Both categories recorded a dip in the previous 30 days and then recovered during the last 30 days. Ransomware chatter has been sustained across all 90 days. DDoS surged in the last 30 days.
In total, the automotive industry comprises 0.93% of all detected industry underground and dark web chatter in the last 90 days, ranking 14th out of 14 industries.
Below are the observed key trends across 90 days:
Spike in Data Breach & Leak Mentions
Data Breach: 78 → 51 → 84
Data Leak: 78 → 52 → 75
Both categories saw a notable rebound in the last 30 days, suggesting a renewed wave of data exposures.
Ransomware Activity Remains Consistent
20 → 23 → 20
No significant shifts—ransomware is a steady threat, likely targeting manufacturing, dealerships, or IoT systems in vehicles.
Claimed Hacks Rebound
10 → 4 → 10
Return to previous levels suggests new successful attacks being shared or sold on forums.
DDoS Activity Surging
2 → 1 → 9 (↑350%)
A significant jump in the latest period—could reflect retaliation, extortion campaigns, or service disruption attempts.
Hacktivism is Infrequent but Persistent
3 → 1 → 3
Low-level but consistent—may be related to targeting around labour, environmental, or geopolitical issues.
Web Exploit Mentions Declining
3 → 3 → 1
Suggests either improved application security or a shift in attacker focus away from web-based vectors.
Over the past three months, CYFIRMA’s telemetry has identified 29 mentions of the automotive industry out of a total of 2,678 industry mentions. This is from over 10k CVEs reported and updated in the last 90 days.
The automotive industry ranked 13th out of 14 industries in the last 90 days with a share of 1.08% of all detected industry-linked vulnerabilities.
Below is a breakdown of 30-day periods of all mentions.
Injection attacks are leading the chart, however, there were none during the first 30 days. Remote & Arbitrary Code Execution (RCE & ACE) and Memory & Buffer vulnerabilities follow. The remaining categories are minimal, yet not to be overlooked.
In total, the automotive industry comprises 1.08% of all detected industry-linked vulnerabilities in the last 90 days. And ranking 13th out of 14 industries.
Below are observed key trends across 90 days.
Injection Attacks
0 → 8 → 5
A sharp spike in the previous month, followed by a slight decrease, but still elevated.
Remote & Arbitrary Code Execution (RCE & ACE)
2 → 3 → 1
Generally low but consistent. Indicates a lower but critical risk—RCEs can be severe if exploited, especially in connected vehicle environments.
Memory & Buffer Vulnerabilities
1 → 3 → 0
Was briefly elevated but no new memory flaws were reported recently.
Cross-Site Scripting (XSS) & Clickjacking
1 → 1 → 1
Low and steady—minor web-based issues remain unresolved.
Denial of Service (DoS) & Resource Exhaustion
0 → 1 → 1
A low but consistent concern—may align with observed increases in DDoS mentions in dark web chatter.
Information Disclosure & Data Leakage
0 → 1 → 0
No recent CVEs, but paired with high chatter around data breaches and leaks.
In the past 90 days, CYFIRMA has identified 39 verified ransomware victims in the automotive industry. This accounts for 2.6% of the overall total of 1,510 ransomware victims during the same period, placing the automotive industry 13th out of 14 industries.
Furthermore, a quarterly comparison reveals sustained levels of interest in automotive organizations with only a minor change of 2.6% from 38 to 39 victims. The overall share however mildly increased from 1.84% to 2.58% of all victims.
Over the past 180 days, we have observed one early bump in activity during February. After lower activity in April, we are again seeing a mild upward trend.
A breakdown of monthly activity per gang provides insights into which gangs were active each month. For example, by far the most active gangs Qilin and Akira, were highly active across the last 3 months. On the other hand, gangs like Lynx or Play were active only during a single month.
Out of the 73 gangs, only 18 recorded victims in this industry in the last 90 days (25% participation). Qilin had the highest number of victims (13).
The share of victims for most gangs in this industry is low. From the top 10, only one gang recorded a major share of their victims – Spacebears (16.7%).
Among the top gangs, Qilin (6.3%), Akira (4.7%), and Interlock (7.4%) had the highest share of victims; the rest are mostly below the 5% mark.
While various dealerships lead the ransomware victimology, sectors are varied despite a smaller overall number of victims.
The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.
The chart shows quarter-to-quarter changes in targeted countries. Data is sorted by the last 90 days and compared to the previous 90 days, marked in blue.
In the last 90 days, the USA recorded 18 victims (46% of all victims). Notably Japan, France, and South Korea, known for the automotive industry did not record any victims in the last 90 days.
The automotive industry placed 13th out of 14 monitored industries, recording 39 victims in the last 90 days, only a marginal increase of 2.6% from 38 victims in the previous 90-day period.
The overall share mildly increased from 1.84% to 2.58% of all ransomware victims.
Monthly Activity Trends
After a spike in activity in February, there was a dip in activity in April. Since then, the activity has grown mildly.
Ransomware Gangs
A total of only 18 out of 73 active ransomware groups targeted this industry in the past 90 days – a 25% participation:
Qilin: The most active with 13 victims and 6.3% (13 out of 207) of all their victims.
Akira: Second most active with 6 victims and just 4.7% (6 out of 127) share.
Spacebears: Highest shares of 16.7% (2 out of 12) victims among the top 10 gangs.
Geographic Distribution
The geographic distribution of ransomware victims is relatively low and heavily concentrated in the USA (18), accounting for 46% of all victims.
Following are Canada (5) and Germany (4). Notably, Japan, South Korea, and France have been missing from the list in the past 90 days.
In total, only 13 countries recorded ransomware victims in this industry in the last 90 days, four less than 17 in the previous period.
For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.
APT Campaigns (Low): The automotive industry remained a low-priority target for APT actors, with only 2 out of 11 observed campaigns (18%) affecting the sector—an increase from just one in the prior period. Activity occurred in April and May. FIN11 (Russia) and Chinese MSS-linked actors—possibly connected to Stone Panda or Salt Typhoon—were responsible. Their campaigns focused on Asian automotive economies and targeted web apps, operating systems, routers, and network monitoring tools.
Underground & Dark Web Chatter (Low): Accounting for just 0.93% of all chatter, the automotive sector ranked last among monitored industries. Data breach and leak mentions rebounded in the last 30 days. Ransomware remained stable, likely affecting manufacturing and dealership operations. Claimed hacks returned to previous levels, while DDoS mentions surged 350%, potentially tied to extortion or disruption attempts. Hacktivism remains rare but consistent. Web exploit chatter declined, suggesting either hardened perimeter defenses or changing attacker focus.
Vulnerabilities (Low): The industry accounted for 1.08% of all CVEs, ranking 13th out of 14. Injection attacks saw a brief spike and remain elevated. RCEs and memory vulnerabilities are low but persistent, representing critical risks in connected systems. Web-based vulnerabilities like XSS and clickjacking are steady at low volume. DoS and information disclosure risks remain minor but may align with dark web activity trends.
Ransomware (Low): With 39 victims in the last 90 days, the sector ranked 13th, showing a marginal 2.6% increase. The share of total victims rose to 2.58%. February saw a spike, followed by a mild recovery post-April. Only 18 of 73 active groups targeted the industry. Qilin (13 victims) and Akira (6) led in volume; Spacebears had the highest targeting share. The USA dominated victim geography (46%), with Canada and Germany next. Notably, Japan, South Korea, and France reported no recent victims. The total number of affected countries dropped to 13, down from 17.
