Cactus, a notorious ransomware group focused on financial gains, recently claimed responsibility for a cyberattack on CIE Automotive. The incident, dated Dec. 7, 2023, was substantiated by the release of some of the stolen data, including employee passports and various business documents, such as blueprints and nondisclosure agreements (NDAs).
Cactus is a ransomware group first identified in May 2023. Its typical mode of attack involves exploiting vulnerabilities in virtual private network (VPN) appliances to gain system access. Like other ransomware groups, Cactus does not stand out in terms of its attack methods or tactics, which are already well known; it is simply one among many ransomware groups.
CIE Automotive, the targeted company, is a prominent supplier of automotive parts, with its headquarters in Spain. The company boasts a global presence with multiple divisions and factories worldwide, providing a diverse range of components, from powertrains to chassis.
This apparent cyberattack on CIE Automotive is a stark reminder of the frequent and varied cyberthreats that industries face, especially those utilizing internet technologies. In this article, we explore typical scenarios in industries reliant on internet technologies and highlight the unique vulnerabilities and challenges that the automotive industry faces amid the rising tide of cyberattacks.
Ransomware attacks inflict multifaceted disruption on businesses, including the consequences of ransomware infection, data breaches, and system downtimes. As per the VicOne Automotive Cyberthreat Landscape Report 2023, the automotive industry incurred over US$11 billion in losses due to ransomware in the first half of last year alone. This figure does not even take into account the intangible losses related to reputation and public relations.
Furthermore, the impact of ransomware extends beyond individual businesses, affecting entire supply chains. Recent incidents illustrate this trend. For instance, the Qilin ransomware group launched an attack on a Chinese automotive parts developer and manufacturer, causing significant disruption. Another notable case involved Toyota, which reported unauthorized access to its systems. These examples underscore a growing pattern: Ransomware groups are increasingly targeting companies in critical industries, and these include the automotive supply chain.
For over two decades, there was a separation between information technology (IT) and operation technology (OT) systems. But they are now getting interconnected to enhance efficiency, productivity, and decision-making capabilities. Unfortunately, along with these benefits come the obvious risks, like the exposure of these systems to the internet, and the automotive industry is no exception. While IT adoption leads to reduced management costs and automation of routine tasks, it also introduces new risks, especially when systems are inadvertently exposed online. The most common types of data compromised in these breaches are personally identifiable information (PII) and business documents, highlighting the predominant nature of these cyberthreats.
To effectively mitigate cyberattacks or prevent future occurrences, it is crucial to understand their mechanics. Cyberattacks come in various forms, each capable of granting unauthorized system access or disrupting operations. Here are some common types of attacks and their respective mitigation strategies:
- Ransomware attacks. Ransomware encrypts the victim’s files, with the attacker then demanding a ransom to restore data access. It can be spread via phishing emails, malicious websites, or vulnerability exploits. Mitigation: Ensure regular data backups, implement strict access controls, and adhere to the principle of least privilege.
- Malware attacks. Beyond ransomware, other malware forms like viruses, worms, and trojans can also compromise business systems. These malicious programs can steal, delete, or encrypt data, alter or hijack essential computing functions, and monitor user activity. Mitigation: Keep software regularly updated and manage patches diligently, and deploy comprehensive endpoint protection.
- Phishing. This technique involves sending deceptive emails that mimic reputable sources, with the aim of duping employees into divulging sensitive information. Mitigation: Implement employee education and awareness training programs, and use advanced email filtering systems.
- Distributed denial-of-service (DDoS) attacks. These attacks overload a system, server, or network with excessive traffic, overwhelming bandwidth or resources and denying service to legitimate users. Mitigation: Use DDoS protection and mitigation services, conduct traffic analysis, and plan for sufficient network capacity.
- Zero-day exploits. These attacks target unknown vulnerabilities in applications or operating systems. Attackers exploit the flaws before developers have the chance to patch them. Mitigation: Conduct regular security audits and vulnerability assessments, and engage in threat intelligence and information sharing to stay ahead of emerging threats.
As the automotive industry becomes increasingly connected, the focus of cybersecurity goes beyond traditional IT systems. The interconnectedness means that a breach in the IT system can potentially impact vehicles on the road. In this context, solutions emphasizing on-board traffic monitoring, effective management of vulnerabilities, and robust security for cloud services, APIs, and endpoints become crucial.
The data that might be exposed in the IT systems might lead to discovery, control, and abuse of vehicles. Thus, for increased detection, visibility, analytics, and response for threats targeting vehicles, VicOne recommends these key strategies:
- xNexus. This next-gen vehicle security operations center (VSOC) platform is armed with highly integrated on-board sensors (xCarbon), delivering rich in-vehicle system telemetry data and enabling full visibility and API security from cloud to vehicle, cloud to cloud, and vehicle to service. xNexus enhances capabilities for monitoring and responding to potential threats by providing precise yet actionable threat intelligence and early warning systems for incoming attacks. Should important data be compromised in the IT systems that might be used to identify vehicle information (e.g., for a fleet), abuse of such data could result in vehicle remote control functions. These remote control functions are, more often than not, facilitated by in-vehicle APIs, which must be detected immediately. This proactive approach allows VSOCs to stay ahead of potential threats and respond swiftly.
- xCarbon. Serving as an intrusion detection and prevention system (IDPS) for electronic control units (ECUs) in vehicles, xCarbon offers superior detection and protective measures, including evaluation of in-car API calls that happens in real time. It enables VSOCs to quickly identify and understand the nature of potential attacks on vehicles. In addition, xCarbon can serve as a sensor to provide precise security logs to the VSOC platform (e.g., xNexus). This system is particularly important for maintaining the integrity and security of vehicle operations, given the increasing sophistication of cyberthreats targeting the automotive industry.
Overall, these solutions represent a shift toward more integrated and responsive cybersecurity measures in the automotive industry, recognizing the unique challenges posed by the increasing connectivity and complexity of modern vehicles.