OceanLotus: Hackers tried to infiltrate the network of German car manufacturer BMW

[German]A Hackergroup, called OceanLotus, has tried to infiltrate the computer network of the German car manufacturer BMW at the beginning of the year 2019. However, the action attracted attention of BMW security experts, who observed the intrusion. The infected computer has now been switched off and the hackers have been locked out.


The hacker group OceanLotus, presumably from Vietnam, is targeting the automotive industry. The German broadcaster Bayrischer Rundfunk (BR) reports about the incident at BMW. The hacker group OceanLotus is supposed to be acting on behalf of the state of Vietnam (more details in the text).

Start of the operation in spring 2019

According to information from BR, the hacker group began attempting to infiltrate BMW's networks in the spring of 2019. These attempts must have attracted attention, because according to the reports, the IT security specialists at BMW monitored the steps of the attackers.

Although BMW does not publish any details, it became known that the hackers were able to infect a computer with a program called "Cobalt Strike". The car maker took the affected computer off the Net last weekend.

Cobalt Strike is a framework which is normally used by so-called Red-Teams for penetration testing. The framework allows hacking campaigns (e.g. for espionage) to be one-to-one reenacted. For each section of such an operation, there are separate functions (e.g., network structure elucidation, intrusion, establishment of stable access, retrieval of data, etc.) that can be dynamically configured. The framework allows red teams to perform blind network penetration tests where the tester has little or no information about the system and its structure.

The tools used probably triggered an alarm in BMW's network monitoring system. BMW is quoted by BR as: "We have implemented structures and processes that minimize the risk of unauthorized external access to our systems and enable us to quickly detect, rectify and recover in the event of an incident".

Focus also on Hyundai via fake websites

The South Korean car manufacturer Hyundai was also the focus of the hackers' attention, but did not answer questions from BR. According to the BR report, the attackers set up fake websites of the automobile manufacturers. One page gave the impression that it belonged to the BMW subsidiary in Thailand. The hackers had set up a similar fake website for Hyundai.


The aim was to use these web pages to find out information about the target of the attack and, if necessary, to tap logon data and penetrate further into the network. As the attack was noticed, the security specialists were able to observe the hackers. According to the BR report (citing an anonymous security expert as the source), this ensured that no sensitive data could be accessed. According to the source, the hackers were also unable to access the computers at the BMW headquarters in Munich.

Suspicions about authors

The suspicion that the hackers are based in Vietnam is drawn by the IT specialists from their approach. This corresponded to what has been applied by a hacker group known since 2014 under the name OceanLotus. Quote from Dror-John Röcher, German Cyber Security Organization (DCSO):

There is no secure evidence that the group is acting on behalf of the state. However, if we look at the incidents and analyze the targets, there is strong evidence that at least the Vietnamese state has endorsed them.

Therefore, it is currently only a guess that the group is working for the state of Vietnam. At least the security experts assume that the group has the approval of the communist regime. The background could be that the Vietnamese conglomerate Vingroup opened its first production site in June 2019 in which Vinfast cars are built. German companies are suppliers, BMW is the licensor of the first two models. Automation specialist Siemens is responsible for assembling the factory network.

The following information from Dror-John Röcher (DCSO) is also interesting: "OceanLotus" attacked dissidents and states, that Vietnam quoted as competitors, for years. When Vietnam decided to build cars, the group suddenly started attacking car manufacturers. Meanwhile, the Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz) and the German Association of the Automotive Industry (Verband der Automobilindustrie, VDA) are warning companies against such attacks. Further details can be found in the German BR report.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *