Self Assessment

CYFIRMA INDUSTRY REPORT : AUTOMOTIVE

Published On : 2024-07-02
Share :
CYFIRMA INDUSTRY REPORT : AUTOMOTIVE

EXECUTIVE SUMMARY

The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the automotive industry, presenting key trends and statistics in an engaging infographic format.

INTRODUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the automotive industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the automotive industry.
 
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.

METHODOLOGY

CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.

OBSERVED ATTACK CAMPAIGNS

  • Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors, both nation-state and financially motivated.
  • Each attack campaign may target multiple organizations across various countries.
  • Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
  • Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.

PHISHING

  • Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
  • Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.

RANSOMWARE

  • The victim data presented in this report is directly sourced from the blogs of respective ransomware groups. However, it’s worth noting that certain blogs may provide limited victim information, such as only names or domains, while others may be entirely obfuscated. These limitations can impact the accuracy of victimology during bulk data processing.
  • In some cases, multiple companies share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was compromised. In such a case, we count the country of the company’s HQ.
  • During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
  • Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
  • Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.

While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.

ADVANCED PERSISTENT THREAT ATTACK CAMPAIGNS

Automotive organizations featured in 4 out of the 15 observed campaigns, which is a presence in 26.6% of all campaigns.

OBSERVED CAMPAIGNS PER MONTH

Following a period of generally low detections, the volume of observed campaigns increased in June. This uptick is correlated with global trends rather than being industry-specific.

SUSPECTED THREAT ACTORS

We observed a varied mix of TTPs and languages used on relevant forums. In addition to the well-known Chinese group TICK, we identified the Vietnamese group CoralRaider, an unknown Thai-speaking cybercriminal group, and an English-speaking group with an interest in targets in East and Southeast Asia.

GEOGRAPHICAL DISTRIBUTION

Recorded victims of observed attack campaigns span 13 different countries with high focus on East and Southeast Asia, which corresponds with what we identified about threat actors.

TOP ATTACKED TECHNOLOGY

Web applications continue to be the most targeted technology across industries, with operating system exploitation tools also being observed.

APT CAMPAIGNS

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Low

In the past 90 days, automotive organizations have not been significantly impacted by advanced persistent threat (APT) campaigns. Although 26.6% of observed APT campaigns were related to the automotive sector, all 4 out of the 15 campaigns targeted various suppliers of components, such as plastic moulds or semiconductors, that are not exclusive to the automotive industry.

Monthly Trends
After a lower detections period, the volume of observed campaigns increased in June. Observed uptick is therefore correlated with global trends rather than being industry-specific.

Key Threat Actors
A varied mix of TTPs and languages used by threat actors were detected on relevant forums. In addition to the well-known Chinese group TICK, we identified the Vietnamese group CoralRaider, an unknown Thai-speaking cybercriminal group, and an English-speaking group with an interest in targets in East and Southeast Asia.

Geographical Impact
The campaigns impacted a total of 13 countries with particular focus on East and Southeast Asia, corresponding to identified background of observed Threat Actors.

Targeted Technologies
Web applications and operating systems exploitation were used in the the observed campaigns as primary TTPs.

PHISHING ATTACKS IN THE AUTOMOTIVE INDUSTRY

Over the past 3 months, CYFIRMA’s telemetry detected 91 phishing campaigns themed around automotive out of a total of 260,275.
 
The chart below illustrates the global distribution of observed themes. Automotive accounts only for 0.03% of all captured phishing attempts and therefore is not tracked as a category.

GLOBAL DISTRIBUTION OF PHISHING THEMES

TOP IMPERSONATED BRANDS

All automotive-related phishing is actually focused on automotive financing. Nearly all instances impersonate the United Services Automobile Association, with some samples also involving Toyota Finance Corporation.

TOP COUNTRIES OF ORIGIN (ASN)

The geographical sources of observed phishing campaigns show that most of automotive themed phishing comes from the US, which aligns with the observed impersonations of USAA.

PHISHING

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: Low

The automotive industry warrants low risk factor.

As established in previous automotive industry reports, it does not present an attractive lure for wider “spray and pray” types of phishing campaigns.

The data indicates that United Services Automobile Association and Toyota Finance Corporation are the only identified impersonated organizations related to automotive, though it aligns more closely with the financial industry.

ASN-origin data reveals that the United States are the leading source of phishing emails impersonating observed related themes.

The automotive sector is typically not a prime target for phishing campaigns, except for instances involving spear-phishing attacks by geopolitically motivated Advanced Persistent Threats (APTs) and ransomware affiliates. This is primarily because cybercrime is opportunistic, with sectors like finance and healthcare being much easier to monetize.

Consequently, phishing campaigns targeting the automotive industry tend to focus on related financial services, such as leasing or insurance.

RANSOMWARE VICTIMOLOGY

In the past 90 days, CYFIRMA has identified 32 verified ransomware victims in the automotive industry. This accounts for 2.6% of the overall total of 1,241 ransomware victims during the same period.

GLOBAL DISTRIBUTION BY INDUSTRY

VICTIMS PER INDUSTRY SECTORS

Automotive Dealerships are the most frequent victims of ransomware in automotive industry. However, they only account for 9 out of 32 victims.

INDUSTRY MONTHLY ACTIVITY CHART

Considering just two days of March, we can see remarkably consistent numbers of victims during April, May and June.

BREAKDOWN OF ACTIVITY PER GANG

A breakdown of the monthly activity provides insights into which gangs were active each month. For example, LockBit3 came back in May, Ra groups was active in April and Cactus with Cloak in June.

INDUSTRY RANSOMWARE VICTIMS PER GANG

In total 19 out of 54 active groups recorded automotive organizations victims in the past 90 days. Notable is a high distribution of 19 per 32 victims.

ALL RANSOMWARE VICTIMS PER GANG

Comparing the automotive industry to all recorded victims, Medusa gang stands out with 5 out of 62 victims (8%) in this industry, implying focused interest.

GEOGRAPHIC DISTRIBUTION OF VICTIMS

The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.

INDUSTRY VICTIMS PER COUNTRY

In total 13 countries recorded ransomware victims with the US alone accounting for 31% of all victims with identified geography.

RANSOMWARE

EXTERNAL THREAT LANDSCAPE MANAGEMENT (ETLM) OVERVIEW

Risk Level Indicator: High

The automotive industry is the least frequent victim of ransomware, staying in the 14th place. However, it is a very narrow scope. Encompassing 2.6% of all ransomware victims, it faces a significant ransomware risk.

Monthly Activity Trends
Ransomware activity in the automotive industry has shown remarkably consistent numbers of 10 to 11 victims each month.

Ra Groups was active in April, LockBit3 returned in May, Cactus and Cloak recorded victims in June and the Medusa gang was active across all months.

Ransomware Gangs
A total of 19 out of 54 active ransomware groups targeted the automotive industry in the past 90 days:

Medusa: 8% of their victims were from this industry (5 out of 62 victims), implying a possible focus on this industry

LockBit3: Due to its large affiliate base and sheer volume, it presents a high risk (4 out of 184 victims).

The distribution of attacks among many groups indicates that no single gang dominated the ransomware landscape in the automotive sector.

Geographic Distribution
The geographic distribution of ransomware victims in the automotive industry highlights the widespread nature of these attacks:

31% of all victims are located in the US, followed by traditional European automotive countries like Germany, Italy, France and the UK.

In total, 13 countries reported ransomware victims in this industry

For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.

CONCLUSION

In the past 90 days, automotive organizations have faced low to high risk across monitored categories.

APT Campaigns: Although 26.6% of observed APT campaigns related to the automotive sector, they primarily targeted suppliers of components like plastic moulds and semiconductors, making the overall risk low. Activity increased in June, reflecting global trends rather than industry-specific threats. Key actors included TICK (China), CoralRaider (Vietnam), an unknown Thai-speaking group, and an English-speaking group targeting East and Southeast Asia. The campaigns mainly exploited web applications and operating systems, impacting 13 countries in these regions.

Phishing: The risk remains low for the automotive sector, which is not an attractive target for broad phishing campaigns. Notable impersonated organizations included the United Services Automobile Association and Toyota Finance Corporation, aligning more with the financial industry. The US was the leading source of phishing emails. Geopolitically motivated APTs and ransomware affiliates pose spear-phishing threats.

Ransomware: The automotive industry faces a high ransomware risk, despite being the least frequent victim at 14th place. Given its narrow scope, it is still encompassing 2.6% of all ransomware victims. Consistent monthly activity saw 10 to 11 victims each month. Active groups included Medusa, LockBit3, Cactus, and Cloak, with Medusa showing a potential focus on the sector. The geographic distribution of victims is widespread, with 31% in the US and others in key European automotive countries like Germany, Italy, France, and the UK, affecting 13 countries in total.