{ "id": "091d942b-9020-44a4-a01e-9d5d52fee062", "created_at": "2026-04-06T00:15:26.374901Z", "updated_at": "2026-04-10T13:12:05.335577Z", "deleted_at": null, "sha1_hash": "384edaf0333da6b941acfd7c394309d93440568e", "title": "BMW and Hyundai hacked by Vietnamese hackers, report claims", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 666579, "plain_text": "BMW and Hyundai hacked by Vietnamese hackers, report claims\r\nBy Written by Catalin Cimpanu, ContributorContributor Dec. 6, 2019 at 12:39 p.m. PT\r\nArchived: 2026-04-05 20:15:55 UTC\r\nImage: Pablo Martinez\r\nSee als\r\nGerman media is reporting that hackers suspected to have ties to the Vietnamese government have breached the\r\nnetworks of two car manufacturers, namely BMW and Hyundai.\r\nThe report, coming from Bayerischer Rundfunk (BR) and Taggesschau (TS), claims that hackers breached the\r\nnetwork of a BMW branch sometime this spring.\r\nThe attackers allegedly installed a penetration testing toolkit named Cobalt Strike on infected hosts, which they\r\nused as a backdoor into the compromised network.\r\nBMW had supposedly allowed the hackers to persist on its network, and followed their every move, cutting off\r\ntheir access over the last weekend -- end of November.\r\nBR and TS reporters claim the hackers behind the attack also breached Hyundai but did not provide any additional\r\ndetails about this second intrusion.\r\nNeither BMW nor Hyundai wanted to comment on the BR article. Similar requests for comment sent by ZDNet\r\nremained unanswered.\r\nIntrusions blamed on APT32\r\nhttps://www.zdnet.com/article/bmw-and-hyundai-hacked-by-vietnamese-hackers-report-claims/\r\nPage 1 of 2\n\nBR and TS said the group behind the BMW and Hyundai intrusions is a threat actor known for its attacks on the\r\nautomotive industry [1, 2].\r\nKnown as Ocean Lotus (or APT32), the group is believed to carry out attacks on behalf of the Vietnamese\r\ngovernment.\r\nAccording to reports, the group has been active since 2014. While initial attacks had focused on hacking foreign\r\ncorporations active in Vietnam and other Southeast Asian countries, since 2017, the group has incessantly targeted\r\nthe automotive industry.\r\nPrior to today's revelations, the group has been publicly linked to an attack on Toyota Australia. Weeks after,\r\nToyota Japan and Toyota Vietnam disclosed similar breaches.\r\nMany experts have speculated that the Vietnamese government has taken a page out of China's book and is using\r\nhacking groups to carry out economic espionage on foreign companies, stealing intellectual property, and then\r\nusing it for its state-funded corporations.\r\nChina used this strategy to prop its airplane manufacturing sector, and now experts believe Vietnam is doing the\r\nsame for its fledgling automotive startup VinFast, which started rolling out its first cars out factory lines this year.\r\nThe world's most famous and dangerous APT (state-developed) malware\r\nSecurity\r\nEditorial standards\r\nSource: https://www.zdnet.com/article/bmw-and-hyundai-hacked-by-vietnamese-hackers-report-claims/\r\nhttps://www.zdnet.com/article/bmw-and-hyundai-hacked-by-vietnamese-hackers-report-claims/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/bmw-and-hyundai-hacked-by-vietnamese-hackers-report-claims/" ], "report_names": [ "bmw-and-hyundai-hacked-by-vietnamese-hackers-report-claims" ], "threat_actors": [ { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434526, "ts_updated_at": 1775826725, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/384edaf0333da6b941acfd7c394309d93440568e.pdf", "text": "https://archive.orkl.eu/384edaf0333da6b941acfd7c394309d93440568e.txt", "img": "https://archive.orkl.eu/384edaf0333da6b941acfd7c394309d93440568e.jpg" } }