In October of 2023, I presented to the Massachusetts State Auto Dealers Association on the state of cybersecurity in the industry, warning that the industry was under attack. On the dark corners of the internet, attackers were sharing information that auto dealers were prime targets for a ransomware payday. They point to a workforce lacking cybersecurity awareness combined with outdated and unpatched technology as the reason. Since then, we saw a major breach at Toyota, a ransomware attack on a Midwest auto dealer, Jeff Wyler Automotive Family, and another on Findlay Automotive, a Nevada-based group whose operations and ability to sell vehicles were still reportedly impacted a month later.

On June 19, 2024, CDK Global, a major dealer management system provider, was the victim of a cyberattack. This attack impacted about 15,000 dealerships to varying degrees, depending on how many and which CDK products they were using. As is common with these types of incidents, CDK has not disclosed a lot of the details. However, there are some things we do know, and some things we can speculate on given what we know about the attackers and these types of attacks in general. Most importantly, there are always lessons to be learned from unfortunate scenarios like this. And sadly, this is not the first time a dealer management software company has been breached. Let’s not forget that the catalyst for the enhanced FTC Safeguards rule was a breach of LightYear Dealer Technologies, doing business as “DealerBuilt” back in 2019. DealerBuilt settled with the FTC, who alleged that the company poorly protected the information of consumers, leading to a breach that exposed millions of consumers’ personal information. Let’s dive into the anatomy of the CDK attack, and shed light on what action can be taken to identify and address the cyber risks we face today.

What: Ransomware

Ransomware is a specific category of cyberattack where the attacker(s) either encrypt data, rendering systems inoperable and data inaccessible until purchasing a “decryptor” (a tool designed by the attackers to unlock the data), or steal data at the threat of public release or sale on the dark web. The attack group responsible for the CDK attack (called BlackSuit) is known for a “double extortion” approach — where they both encrypt files and threaten to leak sensitive data. This is a lethal blow as it combines the urgency of downtime with regulatory factors such as potential fines and penalties imposed by the Federal Trade Commission and other local and federal authorities, not to mention damage to reputation and loss of consumer and investor/stakeholder confidence (although CDK Global went private in 2022, acquired by Brookfield Business Partners). The ransom CDK reportedly paid was $25 million, and AEG estimated that this incident cost a total of $1.02 billion to dealers.

Who: BlackSuit

BlackSuit is a Russian and Eastern European organized cybercrime group reportedly responsible for the attack. These organized ransomware groups are the modern-day virtual version of the mafia. They operate as a business, with reporting structures, bonus incentives and highly motivated and organized leadership. Located in regions difficult for U.S. authorities to pursue them in and extradite from — they even leave trademark signatures and publicly claim their attacks. For BlackSuit, their callsign is renaming their ransom-encrypted files with a “BlackSuit” extension.

Similar to the crime groups of yesteryear — these groups disband when “bosses” are incarcerated or go into hiding, with new syndicates forming from previous underboss members. BlackSuit is an iteration of an affiliated group known as Royal, which formed after the fall of one of the most notorious Russian groups, Conti. Conti was said to have annual revenue exceeding $180 million from ransomware attacks.

When: Holidays

Organized cybercrime groups are very strategic about when and how they strike. They gather information about their targets, working to calculate the exact timing and amount to demand that will inflict the most damage, increasing the likelihood of the victim paying. Attackers know that U.S. holidays are times when IT is often thinly staffed and “on call” — potentially creating a scenario where their guards are down. This is two-fold for automotive sales, as holidays are often the biggest days for sales. So, the strike on the U.S. federal holiday of Juneteenth was the perfect storm for these adversaries, knowing that the 4th of July soon follows as one of the biggest days for auto sales.

How: The Human Element (Most Likely)

Again, given that details of the attack have not been released, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reports that 91% of attacks originate from a phishing email. Anonymous sources claiming to be insiders involved in the investigation of this attack have also indicated this was the case. Combine that with the fact that BlackSuit’s most common entry point is phishing, and we have a likely suspect for how the attack originated.

That being said, most attacks employ a combination of tools and methods. As I mentioned previously, the second factor attackers have identified in the industry is outdated and unpatched “legacy” technology. Outdated software can contain known vulnerabilities and misconfigurations that allow attackers a foothold and pivot points within an environment. Honorable mention goes to easily guessable passwords and/or password reuse and lack of multi-factor authentication.

Lessons Learned

Lessons from this attack are not just limited to CDK, or even those dealers impacted by the cyberattack and resulting outage. As I’ve warned, attackers tend to take the path of least resistance.

1. An Ounce of Preparation: The FTC Safeguards require you to have an Incident Response Plan in place. This should detail what actions are taken in the event of a cyberattack. These plans should be documented with roles and responsibilities and tested with “tabletop exercises” where attack scenarios are talked through to identify any potential enhancements to existing processes. Another recent amendment to the Safeguards Rule now includes reporting requirements for any incident impacting 500 or more individuals.
2. Vendor Management: This is another explicit FTC Safeguards requirement. OCD Tech has been pressing DMS providers on their security vulnerabilities and compliance since the Safeguards Rule was proposed, with some more responsive than others. Many of these systems are archaic, built on inherently vulnerable platforms and infrastructure. More modern and proactive DMS players are building solutions that are more in line with today’s technology and security needs. Proper vendor management means evaluating who your vendors are, who has access to your data, how critical they are to your operations and, subsequently, how adequate their security practices are.
3. Employee Awareness Training: Employ not only distribution of cybersecurity awareness training materials, but simulated phishing attacks to train your workforce on how to spot red flags and indicators of suspicious activity. OCD Tech has noted employee click and open rates as high as 30% during baseline simulated phishing campaigns. That means 30% or more of your employees could fall for an email sent by an attacker. We’ve seen those very same dealerships improve that rate to less than 2% over a period of six months of simulated campaigns. Employees should also be reminded to be on high alert going into high-volume sales and service periods such as holidays, and after events such as the CDK breach where “piggyback” attacks can follow — attackers posing as CDK representatives to convince individuals to open malicious software or grant them remote access.
4. Basic Cyber Hygiene: We can’t stress enough the importance of enabling multi-factor authentication where available, and especially where sensitive customer information resides. This is typically a low-cost and low-impact change, that is very effective. Easily guessable and reused passwords could also mean that an attacker already has login information for your environment. Leverage information sources such as dark web monitoring for leaked credentials — and make sure you force password changes when such credentials for your dealership appear.
5. Assess Risk, Address Risk, Repeat: You don’t know what you don’t know. Contracting a third-party to evaluate your security and compliance can be an incredibly valuable tool. Measuring your cyber risk and cybersecurity maturity can provide a roadmap towards improvement that allows you to focus your budget and effort in the right areas. With all the flashy tools and corresponding sales pitches out there today, it’s important to understand what threats you’re facing and what you’re paying for to mitigate the associated risk. Have a contracted simulated attacker evaluate your vulnerabilities and see if they can get into your systems, before a real attacker does.

As always, it’s important to stay vigilant. There are a lot of tools out there today that can help align you with security best practices and become compliant with data privacy and protection requirements. But, it’s important as a business leader to ask the difficult questions and demand answers in a language you understand. Know your weaknesses, because your adversaries sure do. And it’s not all doom and gloom. It’s about fostering a culture of cybersecurity awareness. Remind employees about the importance of cybersecurity awareness during department meetings. Ask your IT staff or third-party provider for metrics on your cybersecurity performance.

Cybersecurity is a necessity these days, but as we’ve seen with this attack — it can also become your competitive edge. Some of our clients using CDK have inquired about alternative DMS solutions, and competitors in the market are so inundated with requests, one is actually declining to schedule demos. In a market with plenty of competition, a cyberattack can be make-or-break for your business.