Analysis
23 Sep 22

The real threat to OEMs from Ransomware groups

It would have seemed too futuristic to hack a car ten years ago. Then everything turned when two security researchers hacked a Jeep Cherokee in 2015, took control of the infotainment system and stopped it. 

The phenomenal incident forced Jeep to recall 1.4 million vehicles after the OEM described it as a “criminal action.” Little did they know that this was just the beginning of continuous development in cybercrime, reaching its zenith with ransomware. 

What is ransomware? A non-technical description would be the “biggest digital threat to all corporations” in the modern day and for decades to come, which has already caused hundreds of organisations to go bankrupt. The crime is so profitable that the overzealous hackers had no remorse during the pandemic, attacking hospitals leading to the deaths of patients. 

Ransomware also caused political friction between major powers, most notably the confrontation between the Biden administration and Kremlin after the Colonial Pipeline attack, which was the last straw for the US. Now, cybercriminals are increasingly targeting an industry with ample targets and profits:

  • Renault-Nissan was hit by “WannaCry” in 2017.
  • The APT32 cybercrime group targeted BMW and Hyundai in 2019.
  • The same year, Toyota had to halt production due to an attack on its supplier.
  • Honda was hit by “Snake” ransomware in 2020.
  • KIA Motors America was greeted by the ransomware note (below) in February 2021 (attackers stated that they attacked KIA, even though the message includes KIA's affiliate Hyundai). 

“Cybercriminals are even infiltrating companies with employees, and OEMs are becoming a very lucrative target,” says Igor Lukic, Red Team Leader and founder of the Hacking conference ‘Hackron.’

OEMs are exposing themselves as targets

Cybercriminals have not only technically evolved but also improved their perspective on business operations, says Lukic. They achieve this by understanding the victim’s operational cycle, including ways to disrupt their production keychain processes, especially in the automotive or industrial areas. This can be achieved by traditional cyber attacks, including ransomware which destroys victims’ data and renders it useless until payment is made.

Traditional street criminals were not idle, improving their skills in stealing vehicles and their interior values by hacking radio frequency locks, opening and even starting a car with low-cost hardware devices. The bonus is the rich data between OEMs and end-users, which criminals intercept through phishing attacks. Lukic says OEMs are exposing themselves as the most significant vulnerable points by using traditional ways of fixing security holes, with no on-air updates but manual firmware upgrades.

Criminals are infiltrating companies with employees

The old-school infection method is tricking users into stealing their credentials and identifying vulnerabilities in the computer networks of companies. The newest techniques are recruiting key stakeholders or employees who eventually become insiders and colleagues, says Lukic. Infiltrators are offered a hefty amount of cryptocurrency in exchange for sensitive data access or critical cooperation to succeed in the ransomware attack. 

Lukic lists some of the new techniques employed by cybercrime groups: 

  • Deploying virtual machines on victims’ computers to evade detection by mounting another OS (operating system) on top of the corporate OS. Some criminals carry out their attacks on weekends to lower the chances of detection.
  • Criminals threaten companies by publicly sharing their data or selling it directly on the dark web, even if they recover from the attack. They reinforce this move by reminding GDPR sanctions if they fail to pay the ransom. 

What are the most neglected measures in the automotive industry?

While the automotive industry is gradually improving its cybersecurity posture, most OEMs don’t realise that poorly secured communication protocols interconnect components, says Lukic. Developing media entertainment systems with no security, not isolating each layer but having full access to the mechanics of the vehicle are common mistakes. This matter gets even worse when: 

  • Systems can get exposed remotely and hacked, causing accidents on the road or revealing the vehicle’s location in real-time, causing serious privacy exposure,
  • Hackers can unlock any car model in seconds using pre-built devices designed to capture and replay poor radio frequencies. 

What should an OEM do to avoid a ransomware attack?

These are the key steps Lukic advises OEMs to undertake: 

  • Invest in cybersecurity beforehand; test security products with an ethical hacker team or red-team specialists to identify possible vulnerabilities. Employ a Chief Security Information officer who can evangelise cybersecurity from top to bottom and prepare the right strategy throughout the enterprise. 
  • Bug bounty programs are promising, where the company pays for bug hunters who spot security problems in their products.
  • OEMs with lower budgets should address the threat in real-time by conducting an incident response team from respected company specialists to evaluate the exposure risk by providing the subsequent actions. 

Lukic warns that paying the ransom means funding more cybercriminal activity and making them even more robust. To avoid this, victims must have their backups thoroughly tested in isolated spaces to recover and measure how much time and resources they need to restore business operations from 0 to 100%

What is the biggest risk in 2023? 

Since the 2000s, the trend of cybercrime getting stronger each year has not been broken, says Lukic. The main reason behind this is that criminals are successfully cashing out their attacks through cryptocurrencies, increasing their budgets by 1000%. As a result, they strengthened their arsenal and started recruiting insiders. 

Therefore 2023 is no different, says Lukic. “It is clear that the chip shortage and any halt on production is a significant hit for enterprises. Therefore, I believe criminals can use this as leverage to increase their pressure on victims and ask for even higher cash-outs.” The problem worsens: Microsoft is pushing new Windows 11 updates, but the OEM and industrial areas still use old versions, especially old Linux versions, which may bring further vulnerabilities for older systems that will not get security patches. OEMs may extend periods using old unpatched systems due to economic issues. 

OEMs better prepare for 2023, as AI (artificial intelligence) is slowly emerging as a new weapon for cybercriminals and security companies. Advanced tech will help cyber criminals to automate attacks on devices and make their attacks more resistant, which has been observed in recent ransomware attacks, says Lukic.  

Scaling up the work of human analysts and adapting to the volume of data generated will be crucial for security companies. Companies that face common threats with the lowest false positives will benefit from human analysts, focusing genuinely on real threats other than playing cat-and-mouse. 

In the brutal cybercrime space, it could be an OEM becoming a mouse.

Main image: Shutterstock. The in-article image is courtesy of BleepingComputer. The in-article photo shows Igor Lukic, Red Team Leader and founder of the Hacking conference ‘Hackron.’

Authored by: Mufit Yilmaz Gokmen