Getty Images/iStockphoto

The CDK Global outage: Explaining how it happened

CDK Global was hit with a ransomware attack affecting thousands of U.S. auto dealerships. Keep reading to learn more about this attack and how it affected the industry.

Ransomware attacks are not a new phenomenon and are continuing to have a widespread impact across multiple industry sectors. A ransomware attack can target a specific individual victim, though threat actors are increasingly using techniques where a single vendor is attacked but thousands of its users are impacted.

That's the case with the CDK Global cyberattack, which was first reported on June 18, 2024. In this incident, CDK Global was infected with ransomware taking many of its core systems offline. As CDK Global is a trusted provider of software services to many organizations in the automotive industry, the ransomware impact was widespread. This attack cost car dealerships more than $1 billion collectively, according to an estimate from Anderson Economic Group, an East Lansing, Mich., consulting firm.

What is CDK Global?

CDK Global is a software vendor headquartered in the U.S. that provides applications and services for the automotive industry. It serves nearly 15,000 dealer locations across North America.

CDK Global primarily focuses on delivering processing capabilities to automotive dealerships across the U.S. It provides essential software that helps dealerships manage daily operations, including vehicle sales, financing, insurance and repairs.

The company was officially created in October 2014 although its roots go back decades earlier. Before 2014, the core operations of CDK Global were part of ADP Dealer Services which started in 1973. The original set of capabilities for CDK Global comes from a series of predecessor companies that also include Cobalt Digital Marketing and Kerridge Computer Company, both of which were acquired by ADP Dealer Services. The name CDK is derived from different acquisitions: C from Cobalt Digital Marketing, D from the original ADP Dealer Services business, and K from Kerridge Computer Company.

In 2022, CDK Global was acquired by Brookfield Business Partners in a deal valued at $8.3 billion.

How did the CDK attack happen?

Full details on exactly how the CDK Global attack happened have not yet been publicly disclosed. However, it has been confirmed that the company was the victim of a ransomware attack.

Ransomware can be deployed into a victim's environment in any number of different ways.

One of the most common is some form of phishing attack where administrative credentials are obtained. Social engineering is also an extremely common ransomware attack method, which can also be part of the phishing attack.

Another potential cause could be a vulnerability in the software stack used by CDK Global.

Who was affected?

The CDK Global cyberattack impacted a wide range of entities in the automotive retail industry.

Among them are the following groups:

Car dealerships

  • Approximately 15,000 auto dealer locations across North America were affected, including both the U.S. and Canada.
  • Large car-dealership companies reported disruptions to the U.S. Securities and Exchange Commission (SEC), including Lithia Motors, Group 1 Automotive, Penske Automotive Group and Sonic Automotive.

Automakers

  • Various automakers acknowledged the impact on their dealers' operations, including BMW, Nissan and Honda.

Customers

  • Car buyers faced delays and potential issues with transactions due to dealerships having to resort to manual processes.
  • Car buyers who were in some cases unable to complete purchases or have their vehicles serviced normally during the outage.
  • Some dealers and customers have also reported attempted phishing scams from hackers aiming to capitalize on the ransomware outage.

CDK Global

  • The company had to shut down most of its systems and initiate a lengthy restoration process.

Timeline of attack

The timeline of the attack is as follows:

June 18, 2024

  • CDK Global was hit by the first ransomware, which led to the encryption of critical files and systems.
  • The attack has been attributed to the BlackSuit ransomware gang that is based in Eastern Europe and Russia.
  • BlackSuit has demanded a ransom from CDK Global. According to Bloomberg, the initial ransom demand was $10 million, but has increased to more than $50 million.

June 19, 2024

  • As a result of the ransomware attack, CDK Global shut down its IT systems.
  • During efforts to recover from the initial attack, a second cyberattack hit the company.

June 22, 2024

  • CDK Global announced it initiated the restoration process.
  • Bloomberg reported that the company intends to pay tens of millions of dollars in ransom.

July 4, 2024

  • After a phased restoration process, all car dealerships should be up and running with CDK services.

Who was responsible for the attack?

The CDK Global cyberattack has been attributed to the BlackSuit ransomware gang.

BlackSuit is a relatively new ransomware group that first emerged in April 2023. The group has links to the older more established Royal ransomware gang. There is some evidence that BlackSuit is also related to the Conti ransomware group. BlackSuit is thought to be made up of Russian and Eastern European hackers.

BlackSuit runs as a private ransomware group and is not some form of ransomware-as-a-service (RaaS) operation where there are affiliates. The group is known to favor using double extortion ransomware, which combines ransomware with extortionware.

The ransomware gang has targeted various sectors, including healthcare, education, information technology, government, retail, and manufacturing in the past. Among the group's publicly disclosed victims is the Kansas City, Kan. police department. The gang claims it published hundreds of sensitive police files on June 18, 2024, after the police department did not pay the ransom.

What is the impact of this attack?

The impact of the CDK Global ransomware attack is extensive as it caused widespread disruption across the automotive sector in North America.

  • CDK Global system shutdown. CDK Global shut down most of its programs, including IT systems, phones and applications.
  • Widespread dealership disruption. Approximately 15,000 auto dealer locations across North America were affected. The operational impacts on dealerships included an inability to access dealer management systems, disruptions in tracking and ordering car parts as well as difficulties in conducting new sales and offering financing. Additionally, there were challenges in scheduling service appointments and managing inventory. Some dealerships resorted to manual processes, using paper while other dealerships sent employees home.
  • Financial impact. The attack led to disruptions in payroll processing for dealership employees as well as additional costs for implementing temporary manual processes. It is also possible that some dealerships lost sales as they were unable to complete transactions.
  • Customer experience impact. Automotive customers were impacted with delays when trying to purchase vehicles, as well as with scheduling and managing service appointments.
  • Data security concerns. In addition to the operational challenges, the fact that the ransomware group has access to sensitive customer and business data is a major concern.
  • Industry-wide impact. There were also industry-wide impacts with automakers unable to track sales and inventory through their dealer networks.

Are car dealerships seeing an increase in cyberattacks?

Somewhat ironically, CDK Global produces an annual report on the state of cybersecurity in the automotive dealership market.

The "2023 State of Cybersecurity in the Dealership" study was released in October 2023. The report found that 17% of surveyed automotive retailers fell victim to a cyberattack or incident in the past year, up from 15% the previous year. The same report also found that 53% of dealers were confident that they had the right level of cybersecurity protection in place. CDK's report identified phishing scams as the top threat for dealers.

As a result of the CDK Global ransomware attack, car dealerships overall reported an increase in attacks. Most notably multiple dealerships reported phishing attacks, that attempt to gain usernames and password information. In the wake of the CDK Global attack, there were also reports of scammers posing as CDK representatives trying to help with the outage.

What can organizations learn from this attack?

There are a variety of things that organizations can learn from the CDK Global attack.

  • Develop contingency plans. The fact that dealers were struggling for days with little to no active guidance on what to do was a real issue. It is incumbent upon organizations to have robust business continuity plans in place to maintain operations during system outages. There should also be an operational playbook that includes manual processes as backups for when digital systems are unavailable.
  • Plan for incident response. The inability to respond quickly and effectively to the ransomware attack helped to amplify the impact. Organizations must develop and regularly update an incident response plan. Organizations should have regular "fire drills" and tabletop exercises to prepare staff and management for potential cyber incidents.
  • Prioritize data protection. Attackers are always looking for personally identifiable information and payment information. Organizations need to implement strong data protection and regularly assess and update data security protocols.
  • Double down on ransomware protection. Organizations need to emphasize and reexamine ransomware protection strategies. There are multiple steps that organizations can and should consider to prevent ransomware exploitation.
  • Improve communication strategies. CDK Global did not at the outset of the attack have a singular location where it kept its users updated on the status of the attack and recovery effort. It is a good best practice to maintain clear and consistent communication with staff and customers during a crisis. It is also critical to unify messaging about what is going on after a cybersecurity incident to reassure customers about data security and service continuity.

Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.

Next Steps

 Social Security number data breach: What you need to know

 Halliburton cyberattack explained: What happened?

Largest IT outages in history

Dig Deeper on Threat management