The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry-driven statistics of global industries, covering one sector each week for a quarter. This report focuses on the automotive industry, presenting key trends and statistics in an engaging infographic format.
Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the automotive industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the automotive industry.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.
Automotive organizations featured in 2 out of the 13 observed campaigns, which is a presence in 15% of all campaigns.
Both observed campaigns were recorded in September. We are observing a general decline in APT activity, specifically nation-state from China in automotive industry.
Observed threat actors are all Russian. Due to interconnected nature of Russian APT groups, including financially motivated cybercrime and nation-state groups, attributions in two observed campaigns are murky.
Recorded victims of observed attack campaigns span 14 different countries. Data correlates with known prominent auto and related parts manufacturing countries.
Both campaigns utilized Web Application attacks as the primary attack vector.
Risk Level Indicator: Low
In the past 90 days, automotive organizations have not been significantly impacted by advanced persistent threat (APT) campaigns. 15% of observed APT campaigns recorded automotive industry victims, with 2 out of 13 total campaigns.
Monthly Trends
We observed both campaigns in September. Overall, we have noted a decline in nation-state APT interest targeting the automotive industry. This trend appears to align with China’s advancement in developing a competitive domestic automotive sector, likely redirecting its cyber operations toward other strategic objectives.
Key Threat Actors
All observed threat actors originate from Russia. The attacks are most likely attributable to prominent cybercrime syndicates such as TA505, FIN7, and FIN11. However, the intertwined nature of Russian cybercrime and state-sponsored operations complicates attribution, as their TTPs overlap. In this case with Gamaredo and Fancy Bear.
Geographical Impact
Cyber campaigns have impacted 14 countries, with those possessing substantial automotive industry and trade—such as South Korea, Japan, and the United States. Notably, Vietnam has experienced increased cyber activity, correlating with the growth of its economy, including the automotive sector.
Targeted Technologies
Web applications have been primarily attacked in both the observed campaigns.
Over the past 3 months, CYFIRMA’s telemetry detected 29 phishing campaigns themed around the automotive industry out of a total of 190,725. All of these are automotive insurance and financing.
The chart below illustrates the global distribution of observed themes. Observed automotive -related phishing accounts for 0.015% of all captured phishing attempts and therefore is not tracked as a category.
The United States Automobile Association was the only observed automotive-related organization in the captured phishing samples.
The United States is nearly the exclusive source of the observed phishing, with Germany being the source of one of the 29 captured samples.
Risk Level Indicator: Low
The automotive industry remains a low-priority target for widespread “spray-and-pray” phishing attacks.
Apart from targeted efforts by geopolitically motivated Advanced Persistent Threat (APT) groups and ransomware operators, cybercriminals generally steer clear of this sector due to specific industry characteristics:
Limited Financial Incentive from Specialized Systems: The industry’s proprietary machinery and technologies are difficult to exploit or sell, unlike readily monetizable financial or healthcare data.
Scarcity of High-Value Data: Automotive companies usually don’t hold large volumes of sensitive financial or personal information that attract identity thieves or fraudsters.
Few Repositories of Personally Identifiable Information (PII): The lack of extensive PII databases reduces the allure for attackers seeking data theft through phishing.
However, phishing attempts related to the automotive field are typically concentrated on auto financing and insurance sectors. These areas handle financial transactions and personal data, making them more enticing targets for cybercriminals.
In summary, despite the automotive industry’s significant role in the global economy, these factors make it less attractive for generic phishing campaigns.
In the past 90 days, CYFIRMA has identified 49 verified ransomware victims in the automotive industry. This accounts for 3.1% of the overall total of 1,585 ransomware victims during the same period, placing the automotive industry as the 12th most frequent victim of ransomware.
Parts & Accessories makers Dealerships with Retail are the most frequent victims of ransomware in the automotive industry.
Considering just a few days of August, we can see September was unusually low with just 8 victims. Manual review of the data confirmed accuracy.
A breakdown of the monthly activity provides insights into which gangs were active each month. For example, RansomHub has been consistently active since August. Play and 3Am were active in October and El Dorado has most victims from November.
In total 21 out of 62 active groups recorded automotive organizations victims in the past 90 days. Notable is the distribution among a large number of groups in this period.
When comparing the automotive industry to all recorded victims, RansomHub emerges with the highest number of victims overall. Additionally, 3Am shows significant targeting of the automotive sector, with 16% of their victims coming from this industry.
The geographic distribution heatmap underscores the widespread impact of ransomware, highlighting the countries where victims in this industry have been recorded.
In total 15 countries recorded ransomware victims with the US alone accounting for ~48% of all victims with identified geography.
Risk Level Indicator: Moderate
The automotive industry is placed as the 12th most frequent victim. It faced varying levels of threat across months yet overall warranting a Moderate risk factor.
Monthly Activity Trends
Ransomware activity in the automotive industry recorded an unusually low number of recorded victims during September. However, this was followed by a mild spike during October.
RansomHub with Play was the most active group overall. Former were active during entire 90-day period, Play and 3Am mainly in October, and El Dorado recorded the majority of their victims in November.
Ransomware Gangs
A total of 21 out of 62 active ransomware groups targeted the automotive industry, representing 34% participation.
RansomHub: Although only 3% of their victims were in the automotive industry (9 out of 258 victims), they accounted for the highest number of victims overall.
3Am: This is the only group showing a stronger focus on the automotive industry, with 16% of their victims respectively coming from the sector (3 out of 19).
Geographic Distribution
The geographic distribution of ransomware victims in the automotive industry reflects the industry’s global nature and the widespread reach of these attacks:
48% of all victims with identified geography are located in the US.
In total, 15 countries recorded ransomware victims in the automotive industry.
For a comprehensive, up-to-date global ransomware tracking report, please refer to our new monthly “Tracking Ransomware” series here.
Over the past 3 months, CYFIRMA’s DECYFIR platform recorded 5,547 vulnerabilities with scores higher than 8. This is out of a total of 17,345 newly reported or updated vulnerabilities.
Filtered by relevant vendors, we have observed 167 vulnerabilities out which 115 with a score of 8 or above are related specifically to the automotive industry.
Four of these reported vulnerabilities have a known exploit.
Siemens and Mitsubishi Electric are top vendors with reported vulnerabilities with a risk score of 8 or above. Notably Mercedes-Benz and Skoda Auto reported vehicle-related vulnerabilities.
Title | NIST LINK |
Mitsubishi Electric Europe B.V. SmartRTU devices allow XSS via the username parameter or PATH_INFO to login.php. | https://nvd.nist.gov/vuln/detail/CVE-2018-16061 |
Mitsubishi Electric Europe B.V. SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI. | https://nvd.nist.gov/vuln/detail/CVE-2018-16060 |
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote configuration download vulnerability allows an attacker to download the smartRTU’s configuration file (which contains data, such as usernames passwords and other sensitive RTU data). | https://nvd.nist.gov/vuln/detail/CVE-2019-14927 |
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user-supplied data to the RTU’s system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via the Mobile Connection Test. When the Mobile Connection Test is submitted action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data. | https://nvd.nist.gov/vuln/detail/CVE-2019-14931 |
Title | NIST LINK |
An access control issue in Mercedes me IOS APP v1.34.0 and below allows attackers to view the maintenance orders of other users and access sensitive user information via unspecified vectors. | https://nvd.nist.gov/vuln/detail/CVE-2023-47393 |
An access control issue in Mercedes me IOS APP v1.34.0 and below allows attackers to view the carts of other users via sending a crafted add order request. | https://nvd.nist.gov/vuln/detail/CVE-2023-47392 |
By sending a specific reset UDS request via the OBDII port of Skoda vehicles it is possible to cause vehicle engine shutdown and denial of service of other vehicle components even when the vehicle is moving at a high speed. No safety-critical functions were affected. | https://nvd.nist.gov/vuln/detail/CVE-2023-28899 |
Over the past 90 days, automotive organizations faced low to moderate cyber risks:
APT Campaigns: Only 2 out of 13 observed campaigns (15%) targeted the automotive sector in September, indicating a decline in APT interest—possibly due to China’s focus on its domestic automotive industry. Russian cybercrime groups like TA505, FIN7, and FIN11 were the primary threat actors, affecting 14 countries with significant automotive industries, including South Korea, Japan, and the U.S., with increased activity in Vietnam.
Phishing: The automotive industry remains a low-priority target for widespread phishing attacks due to limited financial incentives and scarce high-value data. Phishing attempts are typically concentrated on auto financing and insurance sectors, which handle financial transactions and personal data.
Ransomware: Ranked as the 12th most frequent victim, the industry faces moderate risk with varying threat levels across months. Activity was unusually low in September but saw a mild spike in October. RansomHub and Play were the most active groups. Out of 62 ransomware groups, 21 (34%) targeted the automotive industry, with 48% of the victims located in the U.S.
Vulnerabilities: Of 17,345 reported vulnerabilities, 5,547 were high-severity (scored above 8). Specifically, 115 high-scoring vulnerabilities related to the automotive industry were identified, with 4 having known exploits. Notably, Mercedes-Benz and Škoda Auto reported vehicle-related vulnerabilities requiring attention.