'BlackSuite' Hacker Behind CDK Global Cyberattack Affecting Car Dealerships Uncovered
A recent cyberattack on CDK Global, a leading software provider for auto dealerships, has caused significant disruptions in operations across the United States. This incident highlights the increasing trend of ransomware attacks targeting large companies through their behind-the-scenes software suppliers.
CDK Global’s software is crucial for car dealerships, facilitating sales and transaction processing. As a result of the hack, many dealerships have been forced to revert to manual processing methods, impacting their efficiency and customer service, according to local press reports.
Table of Contents
Introducing BlackSuit: The Group Behind the Attack
The cybercriminal group responsible for the CDK Global hack is known as BlackSuit. Emerging in May 2023, BlackSuit is a relatively new entity in the cybercrime world, believed to be a spinoff from the notorious Russia-linked hacking group, RoyalLocker. RoyalLocker itself has a notorious history, originating from the prolific Conti gang and targeting American companies extensively. Analysts consider RoyalLocker one of the most persistent ransomware groups, ranking behind only LockBit and ALPHV.
In contrast, BlackSuit appears less aggressive than its predecessors. The group's data leak site indicates fewer victims compared to larger ransomware gangs, suggesting it lacks the extensive network of hacking partners seen with other groups. Kimberly Goody, head of cybercrime analysis at Mandiant Intelligence, notes that most of BlackSuit’s victims are based in the U.S., followed by the U.K. and Canada, and span various sectors.
The Scope of BlackSuit’s Activities
Security firm Recorded Future reports that BlackSuit has breached at least 95 organizations worldwide. However, the actual number of victims could be much higher. The majority of these attacks have targeted American organizations, particularly in sectors like industrial goods and education, as noted in a blog by security firm ReliaQuest.
BlackSuit has also been active in underground forums, with Russian-speaking threat actors affiliated with the group seeking partnerships to gain access to more companies, as recently as last week, according to Goody.
BlackSuit’s Modus Operandi
BlackSuit employs a tactic known as “double extortion.” This involves stealing sensitive data from a victim organization, locking up its systems, and then threatening to leak the stolen information unless a ransom is paid. Additionally, BlackSuit provides hacking infrastructure and extortion-related support to smaller partner groups, known as affiliates. This support includes resources for harassing victims or taking down their websites to increase pressure for ransom payments.
The CDK Global hack is a stark reminder of the growing threat posed by ransomware attacks, particularly those targeting critical software suppliers. Organizations must remain vigilant and enhance their cybersecurity measures to protect against these evolving threats.