Self Assessment

CYFIRMA INDUSTRY REPORT – AUTOMOTIVE

Published On : 2024-03-18
Share :
CYFIRMA INDUSTRY REPORT – AUTOMOTIVE

EXECUTIVE SUMMARY

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the automotive industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the energy industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the automotive industry.

We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.

For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation, based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors, both nation-state and financially motivated.

Each attack campaign may target multiple organizations across various countries.

Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.

Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.

Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.

In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations, where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.

During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.

Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.

Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS

Strictly Automotive organizations featured in 0 out of the 17 observed campaigns, which is a presence in 0% of campaigns.

To still provide some insights, we have widened the range to overlapping sectors such as Transportation and Industrial Conglomerates. There we have observed relevant victims in 6 out of 17 campaigns.

Observed Campaigns per Month

The monthly chart shows varied detections throughout the months with no clear trend.

Suspected Threat Actors

The majority of detections are associated with the APT41 nexus, collectively tracked as Mission2025. Additionally, we have observed Leviathan, another Chinese group operating in the Middle East, the North Korean Lazarus group, as well as the Russian trio of Fancy Bear, Cozy Bear & TA505.

GEOGRAPHICAL DISTRIBUTION

Recorded victims of observed attack campaigns span 34 different countries, with Japan, Taiwan and India having the highest number of victims, which correlates with the respective sizes of the manufacturing industry overlapping with automotive parts makers. Despite Leviathan APT having only one detected campaign, its presence extends across the entire Middle East region.

TOP ATTACKED TECHNOLOGY

Attack campaigns focused on Web Applications, Operating Systems and Infrastructure-as-a-Service solutions.

APT CAMPAIGNS EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Low

In the past 90 days, we have not observed any automotive industry victims in observed attack campaigns. This follows the previous 90-day period with just a single detection and as such warrants a low-risk indicator.

Our hypothesis suggests a shift away from industrial espionage and intellectual property theft by prolific nation-state APTs (Advanced Persistent Threats) towards geopolitical objectives, which align with recent events and developments. Particularly in the case of China, it seems that their domestic automotive industry has achieved competitive levels, especially in the Electric Vehicle sector. Therefore, the necessity for competitive espionage is likely significantly reduced.

Statistics for overlapping industries, such as industrial conglomerates encompassing automotive parts manufacturing, and transportation including various automotive-related services, indicate continuous activity, primarily from Chinese nation-state APTs. Specifically, activity from APT41, tracked as MISSION2025 by CYFIRMA, remains prominent.

Overall, the most targeted regions were Japan, Taiwan, and India, reflecting the scale of their respective manufacturing industries. In addition to traditionally targeted Western countries, there is a noteworthy and increasing presence in the APAC region, particularly in Southeast Asia, correlating with Chinese strategic interests.

Web applications remain the most frequently targeted technology across various industries, closely followed by operating systems in terms of susceptibility and Infrastructure-as-a-Service (IaaS).

PHISHING ATTACKS IN THE AUTOMOTIVE INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry recorded only 62 phishing campaigns out of a total of 362,062 that impersonated the automotive industry organizations.

Observed automotive-related phishing themes amount to <0.02% and as such are not being tracked as a category.

Global Distribution of Phishing Themes per Sector

Top Impersonated Brands

Only one automotive organization, United Services Automobile Association (USAA), was observed in impersonation campaigns. USAA is a financial services company rather than an auto-maker.

Top Countries of Origin based on ASN

ASN origin of observed campaigns is mostly from the US, but some originated in Thailand, Australia and Russia, suggesting international cybercrime activity and the use of a global botnet to distribute the phishing campaigns.

PHISHING EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Low

Similar to the manufacturing industry, the automotive sector is typically not a prime target for phishing campaigns, except for instances involving spear-phishing attacks by geopolitically motivated Advanced Persistent Threats (APTs) and ransomware affiliates. There are several reasons for this. Primarily, the intricacies of automotive operations, including specialized machinery, production processes, and proprietary technologies, make them less comprehensible and potentially less valuable or easily monetizable for cybercriminals compared to sectors like finance or healthcare.

Consequently, phishing campaigns targeting the automotive industry tend to focus on related financial services, such as leasing or insurance.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 52 verified ransomware victims within the automotive industry sectors, excluding automotive for a standalone report. This accounts for 4.7% of the overall total of 1,100 ransomware incidents during the same period.

The monthly activity chart shows consistent and relatively high numbers across months. March is experiencing a slight decrease in activity due to LockBit3 disruption by law enforcement.

Breakdown of Monthly Activity by Gangs

A breakdown of the monthly activity provides insights into per-group activity. For example, LockBit3 was highly active before the law enforcement action in February. Trigona gangs recorded most victims in January or ALPHV only in February.

Ransomware Victims in the Automotive Industry per Group

In total 19 out of 48 active groups recorded automotive organization victims in the past 90 days. The top 4 are responsible for half of them.

Comparison to All Ransomware Victims by Group

Comparing the automotive industry to all victims recorded, we can see for example Cactus gang has 7 out of 59 (12%) victims in the automotive industry. Similarly, Trigona recorded 4 out of 13 (30%) in automotive, implying focus on this industry.

Geographic Distribution of Victims

The heatmap of geographic distribution shows truly a global reach of ransomware

In total 14 countries recorded ransomware victims with the US alone accounting for ~42% of all victims with identified geography, followed by Australia and the UK.

Sectors Distribution

Listing consolidated sectors falling under the automotive industry umbrella reveals that Automotive Sales and Services, followed by combined Automotive and parts manufacturing are the most attacked sectors. Additionally, we see a diverse range of impacted sectors, including various niches.

RANSOMWARE EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: High

The automotive industry is in nature a manufacturing industry, which is the most attacked industry by ransomware. Given the fairly narrow scope, the numbers are painting high-risk indicators. In the last 90 days automotive victims, accounted for 4.7% of all victims. That is an increase from the previous 3.8% share. Despite an overall decrease in the number of manufacturing businesses affected (67 to 52) and a decline in total ransomware victims (1,766 to 1,100), monthly activity showcases a consistent volume of victims with no discernible trends.

Breaking down the victimology by ransomware groups, LockBit3 emerges as the most active, responsible for 19% of the total 52 victims. Furthermore, the Trigona and Cactus gangs show a notable focus on the automotive sectors, representing 30% and 12% of their respective total victims.

Although not as pronounced, given the narrower scope, the trend of high involvement from mid to small-sized ransomware groups continues, with 19 out of 48 active groups in the last 90 days having victims in this industry—a trend first noticed in September of the previous year.

Analysing the 52 victims across 14 different countries, the United States bears the highest impact with 20 victims (42% of all), followed by Australia and the UK, with 6 and 5 victims respectively.

Examining specific sectors reveals that combined automotive and automotive parts manufacturing, followed by automotive sales, services and leasing, are the most severely impacted.

For a comprehensive, up-to-date global ransomware tracking report on a monthly basis, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

In the automotive industry’s external threat landscape, we observe mixed risk factors.

The presence of automotive businesses in observed Advanced Persistent Threat (APT) campaigns has decreased from 1 to 0, maintaining a low-risk factor. This is likely due to shifting focus from industrial espionage to geopolitical objectives by nation-state ATPs, as well as the Chinese automotive industry achieving competitive levels with established brands.

Phishing remains a low risk in the automotive industry. The intricacies of automotive manufacturing operations and the absence of easily monetizable data make it an unsuitable theme for broad phishing campaigns. Manufacturing businesses generally lack direct access to high-value personal or financial information, and their customer databases are typically limited. As a result, the only automotive-related brands are various leasing and insurance organizations.

Ransomware remains a high threat, with automotive organizations accounting for over 4.7% of all victims in the last 90 days, an increase from 3.8% in the last period. The most active groups include LockBit3, Trigona, and Cactus. However, participation by small to mid-sized groups add up to a substantial share of all victims as well. The US is by far the most targeted with 20 out of 52 victims, followed by Australia and the UK (6 and 5 respectively).