The reputed Vietnamese APT group OceanLotus is believed responsible for recently hacking into the networks of German car manufacturer BMW, as well as South Korea’s Hyundai, presumably to spy on their automotive trade secrets.

German broadcaster Bayerricscher Rundfunk, which broke the story, reported (in an article translated into English) that BMW caught the intrusion early and chose to monitor the digital invaders’ activity before ultimately expelling them two weekends ago. Sensitive data would not have leaked, an unidentified IT security expert told the news organization, and BMW’s central data center remained untouched.

As part of their scheme, the hackers reportedly created a fake website that appeared to represent BMW’s branch in Thailand and another phone site impersonating Hyundai. They also reportedly infected BMW with Cobalt Strike, a commercial penetration testing tool that it historically has abused as a malicious tool.

BMW reportedly declined to provide Bayerricscher Rundfunk with comment on the specific case, but said “We have implemented structures and processes that minimize the risk of unauthorized external access to our systems and allow us to quickly detect, reconstruct, and recover in the event of an incident.” Hyundai, meanwhile, reportedly did not respond to a request for comment.

According to the MITRE ATT&CK knowledge base, OceanLotus is known to target private sector industries and foreign governments, dissidents, and journalists, with a heavy concentration on Southeast Asia. Back in March, the group – also known as APT32 and Cobalt Kitty – was blamed for breaching Japanese car dealerships, resulting in the compromise of 3.1 million items of data pertaining to Toyota and Lexus customers.

OceanLotus is believed to be sponsored by the Vietnam government. According to Bayerricscher Rundfunk’s report, Vietnam may have particular interest in BMW because in June 2019 the Vietnamese conglomerate Vingroup launched the country’s first auto start-up VinFast, of which BMW is a business partner.

Just this past summer, the German Association of the Automotive Industry (VDA) sent an e-mail warning members of possible cyberattacks on German car companies, the report continues.