For several years, Chinese will hackers have had access to the Volkswagen Group’s computer systems. And in this way, they managed to gain access to Volkswagen’s (VW) trade secrets.
The clean-up cost over one billion Norwegian kroner. Those tasked with cleaning up the data breach discovered that over 19,000 files had been downloaded.
These files revealed valuable information. It was about what the company should focus on and new inventions for, among other things, gearboxes, fuel cells and electric cars.
Besides the well-known VW brand, the group owns car brands such as Audi, Skoda, Lamborghini, Bentley, Porsche, Scania and Man.
It is only now that this major data breach is known. The revelation comes right after German Chancellor Olaf Scholz has been on a trip to China.
Germany’s Chancellor Olaf Scholz has recently been to China, among other things to talk about the German car industry, which is under pressure.
Photo: Kay Nietfeld/AFP
There he stated that the car industry needs fair competition, “without price dumping and technology theft», according to Reuters.
Now the German newspaper Der Spiegel and the media house ZDF reveal that the massive data breach against the car giant Volkswagen Group was precisely about technology theft.
The front page of one of several reports NRK has had access to, together with German journalists.
It was in June 2014 that the VW Group discovered that someone had broken into its computer systems. However, this has been kept secret until now.
The way the hackers got in was via a poorly installed firewall at Volkswagen in Latin America. They then made their way further into networks all over the world, before finally having access to the company’s most valuable secrets.
Over 19,000 files with the group’s inventions and internal documentation were retrieved.
The information comes after several months of review of internal documentation and interviews with people who were involved in the clean-up, which German Der Spiegel and ZDF publish on Saturday.
The work is part of an international investigation into Chinese activities in Europe, in which NRK is participating.
An overview that was made while the clean-up was in progress shows that the break-in affected the VW Group’s subsidiaries all over the world.
A spokesperson for Volkswagen in Germany has confirmed the disclosure, as has Audi in Belgium.
– At that time, we had already started to invest a lot in better IT security, and this incident showed us that it was absolutely right, says the spokesperson for Volkswagen.
They do not want to specify how much the clean-up cost, but say it was “a low, three-digit million amount” in euros, i.e. over a billion Norwegian kroner.
Very large scope
The Norwegian security expert Snorre Fagerland believes that the details that have emerged indicate that this was a very large burglary. He emphasizes that he is speaking on a general basis.
– This is a very large scale for a clean-up, says Fagerland.
He says that it is more common to have to do such a large clean-up job when hacthe core has gone in to destroy, for example by using ransomware. Fagerland refers to the ongoing attack on the health giant UnitedHealth.
– It’s been almost ten years, but is only becoming known now. Have there been other attacks of this size that we don’t know about – in Norway or the Nordic countries?
– There have been attacks by the same type which is known in security circles, but the scope is probably much smaller. And then there are certainly undetected burglaries, butmuch of the point of such break-ins is to remain undetected, says Fagerland.
The tracks point to China
According to the internal documents, of which NRK has seen a selection, all the burglaries were carried out by the same hackers. China is not explicitly mentioned, but to Spiegel and ZDF those who worked on the clean-up say that the traces point there.
– We were able to trace the IP addresses back to Beijing, to an address close to the PLA, says a cyber security expert involved in the case. PLA is Chinese military intelligence.
In addition, VW could see that the attackers were operating in the Chinese time zone, and that some of the spyware used in the attack at the time was only in use by Chinese state-backed groups.
An overview from the clean-up shows what the hackers were looking for. The hackers went from company to company within the group. They got into over 90 different computer systems, and the hackers set up a number of back doors to be able to enter and exit the systems as they pleased.
Let the attackers in
The Volkswagen group had been subject to hacker attacks even before the attack that was discovered in 2014. When the car giant discovered that the hackers were again inside their systems, they which may sound contradictory: They chose to leave the hackers on the inside.
This was to be able to follow what they were doing. So that this time they would be sure that they got everyone cleaned out back doors.
At the same time, they notified their development environments to remove the most important inventions from the internal network, VW Germany told Spiegel and ZDF.
Over one weekend in April 2015, all vulnerable systems were reset and exposed accounts were reset.
The clean-up required the participation of both experts from Microsoft and security personnel from the Google company Mandiant.
The Chinese embassy is not aware of the matter
The Chinese embassy in Berlin writes to Der Spiegel and ZDF that they are not aware of the case.
They write that they «condemns and combats any form of cyber-espionage»and that they work with many countries to deal with cyber threats.
Furthermore, they write that there are groups in the West who spread falsehoods about China, and that this is harmful to cooperation between the countries.
