CDK Cyberattack Explained: Timeline, Impact and What’s Next?

CDK Cyberattack Summary

CDK cyberattack is one of the recent cyber incidents that shook the North American automotive industry. In June 2024, when CDK Global noticed a cyber incident, it proactively shut down the operations that impacted over 15,000 car dealerships across the US and Canada. CDK Global is a major software-as-a-service provider in the US and Canada. The attack temporarily paralyzed the normal business operations, including sales, financing, inventory, service, and back-office functions of over 15,000 car dealerships.

CDK Cyberattack Timeline

Late June 19, 2024:

• CDK Global was hit by the first cyberattack. The exact nature of the attacks is not publicly known, but they are believed to involve some form of system intrusion alongside phishing attempts.
• In response to the attacks, CDK Global shuts down its systems to prevent further damage and contain the situation.

June 20-24, 2024:

• While recovering from the first attack, the company faced a second cyberattack. There’s a lack of information about what transpired behind the scenes during this period. CDK Global is likely assessing the damage, investigating the attack, and working on recovery efforts.
• Car dealerships experience significant disruption due to the outage of CDK’s Dealer Management System (DMS), which is critical for their day-to-day operations. Many dealerships resort to manual processes, which impact efficiency and customer service.
• On June 22, 2024, the Blacksuit ransomware group claimed responsibility for the cyberattack on CDK Global, which impacted over 15,000 car dealerships across North America. The company did not officially confirm the ransomware claims.

June 25, 2024:

• CDK Global sends an email to its customers informing them that the outages are likely to extend until at least June 30th. This indicates the company is still working on a solution and a full recovery might take time.
• Reports emerge of a major Midwest dealer group being targeted by phishing attacks, highlighting the broader security concerns within the industry.
• In a statement to Automotive News, CDK Global CEO Brian MacDonald acknowledges the challenges and assures customers that they are working diligently towards restoring services.

June 26 – June 30, 2024:

• There is limited publicly available information about this period. News articles suggest CDK Global might have started a phased restoration of services for a limited number of dealerships.
• The complete recovery timeline remains unclear, causing uncertainty and financial strain for dealerships.

July 1, 2024 (and beyond):

According to the latest update, the company anticipates that all dealers’ connections will be live by late Wednesday, July 3, or early morning Thursday, July 4.

What is BlackSuit Ransomware?

The cybercrime group behind Blacksuit ransomware, which first showed up in early 2023, is going after businesses and organizations with a motive of financial extortion and double extortion (extortion, exfiltrate and public shaming of victims). The attackers operate on the ransomware-as-a-service (RAAS) model, encrypting data and demanding a ransom or the promise of leaking it online. Like Emotet, Blacksuit is multifaceted: while their multi-threaded Go-written ransomware encrypts files, it also steals data from target computer systems before encryption. After disabling antivirus software, the malware appends the ‘.blacksuit’ filename extension to files it has encrypted. Blacksuit is bilingual ransomware that displays instructions in English and Chinese.

Researchers claimed that Blacksuit shares a number of similarities with Royal ransomware, hinting that the two groups might be connected. They both target a similar array of targets: Blacksuit’s victims include hospitals, universities, and government institutions.

A joint advisory issued by the FBI and CISA in November 2023 reveals that Royal and BlackSuit’s encryptors have overlapping coding and practices. The advisory alleged that the Royal ransomware team has been behind’ at least 350 criminal ransomware victim organizations’ in nearly 50 countries since September 2022 and has made ransom demands totalling more than $275 million since December 2021.

Blacksuit Ransomware IOCs

Here are some of the Blacksuit ransomware IoCs that can help you take proactive measures to detect and prevent cyberattacks:

• 90ae0c693f6ffd6dc5bb2d5a5ef078629c3d77f874b2d2ebd9e109d8ca049f2c
• 1c849adcccad4643303297fb66bfe81c5536be39a87601d67664af1d14e02b9e
• 6ac8e7384767d1cb6792e62e09efc31a07398ca2043652ab11c090e6a585b310
• 4d7f6c6a051ecb1f8410243cd6941b339570165ebcfd3cc7db48d2a924874e99
• b57e5f0c857e807a03770feb4d3aa254d2c4c8c8d9e08687796be30e2093286c

Impact of CDK Cyberattack on the Automotive Industry

As per the online reports, the estimated financial losses from the CDK cyberattack on the auto sales industry are significant, reaching up to $944 million. The attack has exposed the automotive sector’s vulnerability to cyberattacks, raising concerns about cybersecurity measures. These losses are the result of potentially extensive downtime, brand loyalty diminishing as profitability shrinks, frustration from both customers and staff and shrinking staff morale.

Cyberattacks can severely disrupt business operations, leading to significant financial losses, damaged reputations, and loss of customer trust. In recent times, the Nissan cyberattack by the Akira ransomware group compromised over 100 GB of data.

In the case of CDK Global, the cyberattack crippled the primary platform used by car dealerships for essential functions such as sales, CRM, financing, payroll, support and service, inventory management, and back-office operations. Consequently, dealerships had to revert to manual processes like pen and paper, slowing down operations, creating inefficiencies, and frustrating customers. The disruption extended beyond sales to affect maintenance services, making it difficult for customers to receive timely support for their vehicles.

The importance of SaaS platforms becomes glaringly apparent when disruptions occur. The automotive industry relies on these technologies for real-time data, predictive analytics, and customer insights, driving modern business strategies. Therefore, ensuring robust cybersecurity measures and contingency plans for service continuity is imperative for SaaS providers to minimize the impact of cyberattacks and maintain business operations.

For more cybersecurity news and updates, follow us on Cybersecurity – The SOC Labs.

Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The SOC Labs assumes no liability for the accuracy or consequences of using this information.