BMW declined to comment on the specific case, saying instead that it had “structures and processes” that both limited external hacking attempts and would let it quickly spot and recover from intrusions. Hyundai hasn’t responded to requests for comment so far.
The culprits may have been easy to identify, though. OceanLotus (aka APT32 or Cobalt Kitty) has been around since 2014 and is believed to be a Vietnam-backed group that typically targets dissidents and threats, and has lately targeted car brands that might include Toyota and Lexus. Conveniently, Vietnam recently launched its own automaker with BMW as a key supplier. The country may be trying to fast-track its growth by swiping ideas from rivals.
It’s not certain if Mercedes-Benz, VW or other brands were targeted. However, this follows a longstanding pattern of corporate espionage hacks on the part of countries that want to understand how certain businesses work. This certainly puts BMW in a difficult spot. It’s in a partnership where a supposed ally might be hacking its systems, and confronting its partner could create massive headaches.