SAN FRANCISCO (Reuters) – A hacking attack on software maker CDK Global has disrupted operations at auto dealerships across the United States, the latest in a series of hacking attacks in which ransom-demanding cybercriminals have targeted major companies by gaining behind-the-scenes access to software suppliers.
CDK makes software commonly used by car dealerships to process sales and other transactions. After the hack, many dealers began processing transactions manually, local press reports said.
Here’s more about BlackSuit, the hacker group that analysts say is behind the CDK hack:
WHO/WHAT IS BLACKSUIT?
Not much is known about the group, but it emerged in May 2023. According to analysts, it is a relatively new cybercriminal team that emerged from an older and well-known hacker group with Russia-ties called RoyalLocker.
RoyalLocker primarily hacked American companies and was a formidable hacking group that emerged from another prolific gang called Conti. Royal was probably the third most powerful ransomware group after LockBit and ALPHV, according to analysts.
But BlackSuit is not as aggressive as the others. The number of victims listed on the data leak website suggests that the company does not have as many hacker partners as larger ransomware gangs, says Kimberly Goody, head of cybercrime analysis at Mandiant Intelligence.
“The vast majority of BlackSuit victims are from the US, followed by the UK and Canada, and they cover a wide range of industries,” she said.
HOW MANY ORGANIZATIONS HAVE BEEN HACKED BY BLACKSUIT?
According to security company Recorded Future, at least 95 organizations worldwide have been infected.
“The actual number of BlackSuit victims is likely much higher,” the company said in an email.
According to a blog by security company ReliaQuest last month, these were mainly American organizations in the industrial goods and education sectors.
“Just last week, we observed Russian-speaking threat actors associated with BlackSuit soliciting partnerships on underground forums to gain access to organizations,” Goody said.
HOW DOES BLACKSUIT WORK?
BlackSuit is known for its “double extortion” approach. In cyberspace, this means that attackers steal confidential data from the targeted organization, lock down its systems, and also threaten to share information.
Mandiant’s Goody said BlackSuit provided hacking infrastructure for other smaller cybercriminal partner groups known as “affiliates.” BlackSuit provided extortion support to its partners, including resources to harass victims or take down their websites to pressure them into paying.
(Reporting by Christopher Bing and Zeba Siddiqui; Editing by Chris Sanders and Chris Reese)
