Almost every day, the German Federal Office for Information Security warns of new phishing campaigns designed to trick victims into disclosing confidential data, downloading malware or exposing themselves and their company to cybercrime. The attackers pursue various goals – from espionage and sabotage to blackmail . A medium-sized automotive supplier also recently fell victim to a sophisticated phishing attack. The following case study describes its chronological sequence and the measures that the company initiated together with a team of experts from its IT service provider in order to successfully contain the attack and minimize future threats.
Phishing attacks are extremely dangerous and difficult to detect, mainly due to their diversity. In the vast majority of documented cases, however, the starting point is an email. This can have fake documents such as receipts or purchase contracts attached. Another method is a link in the email that leads to a fake website from the industry.
The automotive supplier in the case study outlined here is not the first victim from the automotive industry. In 2022, for example, a large-scale phishing campaign even targeted car manufacturers, car dealerships and garages at the same time. For the attack, the criminals had recreated various websites of real companies to which the phishing emails could be traced and thus falsely verified. As an example, the security researchers from the blog “Check Point” show an email that pretends to contain a signed contract for a car handover.
At the same time, the user is asked to confirm receipt and send further documents such as vehicle documents and MOT for the car in question. If you open the attachment, another file is opened in the background, which contacts the drop site via which the malware is then smuggled in. The victim himself only sees a document that appears to be exactly what it is supposed to be, for example a purchase contract for a car.
The phishing attack: preparation and execution
In the recent case of the medium-sized automotive supplier, the hackers must have started preparing a month before the attack, according to previous findings. Their strategy did not even involve the introduction of malware. They created fake email accounts that appeared to come from a new business partner of the company. The attackers most likely received information about an actual new business relationship via social business networks in which both companies had previously announced the cooperation. In addition, the automotive supplier’s employee profiles showed an increased number of contacts to team members of the new business partner from a certain point in time. This allowed the hackers to carefully select the fake email addresses in order to inspire trust and create personalized phishing emails.
In February 2023, the hackers then began sending fake emails to employees of the medium-sized company. These extremely professionally written, convincing emails asked the recipients to click on a link that led to a fake login page on the business partner’s supposedly new extranet. On this page, they were asked to register for the partner extranet using their workstation login information (domain account) in order to gain easy access to the partner extranet in the future without having to log in.
Those employees who clicked on the phishing links and entered their login details gave the criminals access to their email inboxes. This gave the attackers information about further access to cloud-based systems, such as the company’s CRM and project management solution. The attackers also gained access to these systems via requested password resets and were thus able to retrieve confidential data, including customer information and financial data.
The response: detection and measures for phishing attacks
The supplier’s IT department first noticed unusual activity on the network a few days after the emails were sent. This included attempts to obtain new VPN access and suspicious login attempts to the company network via existing VPN connections. Immediately after the attack was detected, the company took the following measures:
1. isolation of the affected systems
The first thing the IT department did was to isolate the affected systems. It deactivated the VPN gateway and only allowed connections to the mail server directly from the company network. Access to the cloud-based systems was also deactivated. These measures successfully prevented the attackers from expanding their attack to other parts of the IT infrastructure and causing further damage.
2. notification of the employees concerned
In the next step, the company informed all employees and asked them to change their password. One difficulty was posed by those employees who were currently outside the company network (working from home or on a business trip). As the VPN gateway was deactivated and the connection to the mail server was restricted, they had no access to the company network or their emails. The service desk played a crucial role in proactively calling the employees, informing them of the incident and helping them to change their passwords. Employee accesses that the service desk was unable to reach were deactivated. As a result, the medium-sized company was able to change passwords company-wide within 48 hours.
3. forensic examination
Once these first two time-critical steps had been successfully completed, the automotive supplier’s IT department initiated a comprehensive forensic investigation with the help of IT service provider handz.on in order to determine the extent of the data loss and the identity of the attackers. The actual analysis was carried out on specially created copies (“snapshots”) of the affected systems. In order to determine how far and over what period of time the attackers were able to penetrate the network, the investigations mainly focused on evaluating the log files of the VPN gateway, mail server, firewalls and cloud-based systems.
4. restart and lessons learned
Once it had been established that there was no further damage and it had been ensured that all passwords had been reset and VPN connections from the time of the attack had been deactivated, the isolated or restricted systems were reactivated, mail server access via connections from the Internet was permitted again and the VPN gateway and access to the cloud-based systems were reactivated.
5. improvement of security measures
Following the attack, the company strengthened its security measures, including the introduction of multi-factor authentication (MFA) for logging into the domain and cloud-based systems. In addition, handz.on was commissioned to develop a holistic concept for an awareness campaign on cybercrime and phishing, as well as to carry out security training for employees and regular security checks in the form of penetration tests of exposed systems and simulated phishing attacks.
Next, the company wants to entrust the handz.on team of experts with a gap analysis of the existing Information Security management system (ISMS) in order to make it fit for the planned TISAX recertification (uniform standard for Information Security in the automotive industry). The company is also considering adopting a zero-trust approach, i.e. setting up an architecture in which each individual system access requires authentication. The system accesses themselves are then to be managed centrally via an identity access management solution (IAM).
Conclusion
The phishing attack highlights the ongoing threat of cyberattacks and the need for companies to take proactive security measures. In this case, information from social business networks provided the criminals with enough information to persuade employees of the automotive supplier to disclose their login credentials during an early cooperation phase with a new business partner.
Thanks to early detection and rapid response, the company was able to minimize the damage and, as a result, improve its security practices to prevent future attacks. The case study also underlines the importance of clear rules of conduct and in-house training for employees to raise their awareness of the risks of phishing attacks and the now very sophisticated methods used by hackers.
Author: Sebastian Welke, Senior Consultant
