US car industry hit in multi-pronged attack

Car dealerships across the United States and Canada have been targeted in a multi-pronged attack focused mainly against cloud services provider CDK Global.

1^st attack

The attack started on the 18^th June with a cyber attack that was so severe, the company had no option but to shut down its entire network leaving its 15,000+ customers across north America unable to operate their businesses properly.

Frustrated dealerships report having received little news from CDK apart from a simple email stating that they are currently experiencing technical issues.

Many affected dealerships are resorting to manual record keeping, with the hope that once CDK systems are back online, they can upload the information.

Some dealers are feeling a little less frustrated at having some spare time however

Customers are also turning to social media to vent their frustrations.

CDK staff are also turning to the web to post their issues

2^nd attack

Hot on the heals of the 1st attack, the company suffered a second hit a day later whilst it was in the process of restoring its systems.

“Out of continued caution and to protect our customers, we are once again proactively shutting down most of our systems. We are currently assessing the overall impact and consulting with external 3rd party experts.”
CDK Global Customer Services

The latest update from the company states currently, the company has no time-frame for the systems to be restored, and that customers should refer to the posted telephone numbers +1 (855) 356-3270 (English) and +1 (877) 483-7817 (French) for further information.

“If you are not aware, we experienced an additional cyber incident late in the evening on June 19.

We continue to act out of caution, and to protect our customers, we have taken down most of our systems. Do not attempt to access the DMS until we can confirm the system is secure. Digital Retail and CDK phones continue to be functional.

At this time, we do not have an estimated time frame for resolution and therefore our dealers’ systems will not be available likely for several days.

As of now, our Customer Care channels for support remain unavailable as a precautionary measure to maintain security. It is a high priority to reinstate these services as soon as possible.

Along with the Critical Situation emails, we are providing updates in Unify and have two phone numbers to contact CDK for the latest recorded update.” – CDK Global
CDK Global Customer Services

3^rd attack

In a twist to this ongoing crisis for CDK Global, and their customers, it is now emerging that attackers have turned to posing as CDK Global customer support and are contacting dealerships in attempts to phish for credentials to access to any other remaining systems.

Who are CDK Global?

CDK Global are a Software-As-A-Service (SaaS) provider, based in Illinois, who provision various front and back office products for car dealerships – the services include Financing, Insurance, Payroll, Customer Relationship Management (CRM), Inventory, Servicing, and more.

CDK has operated in the U.S. for over 50 years providing logistics management, and automotive solutions.

The company has grown extensively via multiple company acquisitions to become the largest company of its kind in North America, employing 1,000’s of staff. The company now operates in 25 countries and has retail sales in over 100 countries. In 2021, the company was valued at $1.6B USD.

Who are the attackers?

No official attribution has been given as to who is behind the attack, however various dark web sites suggest that the hacker behind the attack is a Russian national called Semyuel Hydeski.

It is quoted that the ransom demand was set at over $50M USD, but will increase by $10M USD for every day CDK Global refuse to pay.

Some reports seem to indicate that the attackers may have managed to gain access to CDK after the recent attack on Snowflake back in mid-April. CDK Global are customers of snowflake, however it has not been published as to whether they were affected in the breach.

Another large US automotive company – Advance Auto Parts (AAP) – have however been victims of the snowflake attack, the threat actor behind that attack has been offering access to stolen data for $1.5M USD.