In October of 2023, I presented to the Massachusetts State Auto Dealers Association on the state of cybersecurity in the industry, warning that the industry was under attack. On the dark corners of the internet, attackers were sharing information that auto dealers were prime targets for a ransomware payday. They point to a workforce lacking cybersecurity awareness combined with outdated and unpatched technology as the reason. Since then, we saw a major breach at Toyota, a ransomware attack on a Midwest auto dealer, Jeff Wyler Automotive Family, and another on Findlay Automotive, a Nevada-based group whose operations and ability to sell vehicles were still reportedly impacted a month later. On June 19, 2024, CDK Global, a major dealer management system provider, was the victim of a cyberattack. This attack impacted about 15,000 dealerships to varying degrees, depending on how many and which CDK products they were using. As is common with these types of incidents, CDK has not disclosed a lot of the details. However, there are some things we do know, and some things we can speculate on given what we know about the attackers and these types of attacks in general. Most importantly, there are always lessons to be learned from unfortunate scenarios like this. And sadly, this is not the first time a dealer management software company has been breached. Let’s not forget that the catalyst for the enhanced FTC Safeguards rule was a breach of LightYear Dealer Technologies, doing business as “DealerBuilt” back in 2019. DealerBuilt settled with the FTC, who alleged that the company poorly protected the information of consumers, leading to a breach that exposed millions of consumers’ personal information. Let’s dive into the anatomy of the CDK attack, and shed light on what action can be taken to identify and address the cyber risks we face today. WHAT: RANSOMWARE Ransomware is a specific category of cyberattack where the attacker(s) either encrypt data, rendering systems inoperable and data inaccessible until purchasing a “decryptor” (a tool designed by the attackers to unlock the data), or steal data at the threat of public release or sale on the dark web. The attack group responsible for the CDK attack (called BlackSuit) is known for a “double extortion” approach — where they both encrypt files and threaten to leak sensitive data. This is a lethal blow as it combines the urgency of downtime with regulatory factors such as potential fines and penalties imposed by the Federal Trade Commission and other local and federal authorities, not to mention damage to reputation and loss of consumer and investor/stakeholder confidence (although CDK Global went private in 2022, acquired by Brookfield Business Partners). The ransom CDK reportedly paid was $25 million, and AEG estimated that this incident cost a total of $1.02 billion to dealers. WHO: BLACKSUIT BlackSuit is a Russian and Eastern European organized cybercrime group reportedly responsible for the attack. These organized ransomware groups are the modern-day virtual version of the mafia. They operate as a business, with reporting structures, bonus incentives and highly motivated and organized leadership. Located in regions difficult for U.S. authorities to pursue them in and extradite from — they even leave trademark signatures and publicly claim their attacks. For BlackSuit, their callsign is renaming their ransom-encrypted files with a “BlackSuit” extension. The CDK Breach Lessons Learned from an Attack on the Auto Industry BY ROBBIE HARRIMAN, DIRECTOR OF ADVISORY SERVICES, OCD TECH 12
RkJQdWJsaXNoZXIy ODQxMjUw