Kia Ransomware Attack: Part of an Automotive Cyberattacks Trend?

18 Feb 2021

The recent KIA Ransomware attack is not the first industrial cybersecurity attack targeting automotive manufacturers. Some of the largest names were targeted in the past few years. Actually, not many of the large automotive manufacturers remained outside the list of cyberattack victims. The Ryuk Ransomware hit both the  Volkswagen1 Group and Peugeot2 in August 2020. That same month a Russian threat actor tried to attack Tesla’s network using one of its employees3

The list goes on. In June 2020, Honda4 was hit by snake ransomware. In 2019 Toyota5 confirmed it had been the victim of an attempted cyber-attack. BMW and Hyundai6 networks were compromised by APT32, also known as “Ocean Lotus” that same year. Back in 2017, it was Renault-Nissan's “turn” to suffer production disruptions caused by WannCry7

It seems like the auto industry is in the focus of cyber attackers. Indeed, the list of automakers who suffered major disruptions to cyberattacks is alarming. But it’s just the tip of the iceberg.

We have to remember that the auto industry is handled by about 60 automakers or OEMs, which is owned by 14 massive global companies. These are the brands we all know and love (like Kia). 

Hundreds of suppliers support the OEMs. The largest ones are the Tier 1 suppliers  - some of them manufacture up to 99% of the complete vehicle. The suppliers must also be prepared.  

There’s no wonder criminals set their sights on the auto industry.  They know that automotive manufacturers can’t afford any operational disruption. They also understand that the automotive industry is one of the leading sectors in digitization and automation, making it more vulnerable to cyber-attacks.

Back to the attack on KIA - Are other Automotive organizations at immediate risk?

The short answer is yes. Past experience shows that attacks tend to spread to more than one target. In a blog post published June 2020, we showed how an attack on one company in a certain sector is a sign that others in the same industry might be targeted as well.   While it’s too early to assess the damage and the cause of the KIA attack,  we already know that the attacker initially targeted Hyundai Motor America, Kia's parent company. 

We don’t know yet how the attack reached Hyundai. But we do need to worry and be prepared for the option that it reached Hyundai through its supply chain. If the attack reached Hyundai through its supply chain, like in the successful SolarWinds8 attack that compromised up to 18,000 SolarWinds customers, it can affect the entire automotive industry. 

So what can other organizations do to prepare? For one,  we recommend automotive companies and especially automotive TIER1 and TIER2 suppliers, to make sure their supply chain is secured. It’s important to get full visibility of the supply chain, production floor, and assets. It is important to get clear visibility of the risks and prepare a response plan ahead of time. If you already have OT network cybersecurity solutions deployed in your OT network, it’s a good time to review the alerts and mitigate them. Prioritize critical operational processes first. If you don’t have tools that provide full visibility of your OT network, we advise considering using external security assessment services to make sure you are protected. In the longer-term, evaluate OT-Native SIEM/SOAR solutions and choose one that fits your production network. 

Another immediate risk - both for KIA and other automotive companies, is the production floors. Past experience shows that the risk on the operational network (OT) is very real, as we saw in the Honda and Renault-Nissan cases. Therefore, we recommend that KIA and other manufacturers ensure that the OT network is properly secured and separated from the IT network to minimize the risk of the attack spreading to their operational networks.  This can be achieved by proper network segmentation and by making sure that the access to the OT network is limited only to specific, pre-defined users and assets. Some tools can help you achieve this goal more efficiently, such as OTORIO’s RAM2 SIEM/SOAR solution, which provides insights regarding misconfigurations that expose your OT network to cyberattacks. 

Finally, it’s important to pay special attention to remote access security. Many recent attacks started with unsecured remote connections. The COVID-19 pandemic contributed to that as organizations accelerated their remote access processes at an incredible speed. Attackers took advantage of the vulnerabilities in remote access tools to execute ransomware attacks. We recommend organizations immediately check their remote access tools and make sure they are secured and up-to-date. It’s also important to use dedicated tools to access the operational networks separately from the IT network.


The unknown is greater than what we know about the KIA ransomware attack. Yet, we do know that it’s part of the wider attention attackers give to the automotive industry. All automotive companies - from large OEM, TIER1, and TIER2 suppliers, to smaller manufacturers, should be prepared for the next cyberattack attempt. We in OTORIO believe that to be ready; you should be proactive. Make sure to use the right tools that provide full visibility of your cybersecurity posture and feasible mitigation steps, especially in the too-often neglected production floors environment.

Yael Harel

Product Marketing, OTORIO