Explainer-The 'BlackSuit' hacker behind the CDK Global attack hitting US car dealers


FILE PHOTO: A computer keyboard lit by a displayed cyber code is seen in this illustration picture taken on March 1, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

SAN FRANCISCO (Reuters) - A hack into software maker CDK Global has disrupted operations at auto dealerships across the U.S., the latest in a series of hacks where ransom-demanding cybercriminals target big companies by breaching behind-the-scenes software suppliers.

CDK makes software that is commonly used by car dealerships to process sales and other transactions. In light of the hack, many dealers have started processing transactions manually, according to local press reports.

Here is more about BlackSuit, the hacking group analysts say is behind the CDK hack:

WHO/WHAT IS BLACKSUIT?

Not much is known about the group, but it emerged in May 2023. Analysts say it is a relatively new cybercriminal team spun off of an older and well-known Russia-linked hacking group named RoyalLocker.

RoyalLocker mostly hacked American companies and was a formidable hacker group borne out of another prolific gang named Conti. Royal was likely the third most persistent ransomware group after LockBit and ALPHV, according to analysts.

Yet, BlackSuit is not as aggressive as the others. The number of victims it lists on its data leak site suggests it does not have as many hacking partners as larger ransomware gangs, said Kimberly Goody, head of cybercrime analysis at Mandiant Intelligence.

“The majority of BlackSuit victims have been overwhelmingly based in the U.S., followed by the U.K. and Canada and span a wide range of sectors,” she said.

HOW MANY ORGANIZATIONS HAS BLACKSUIT HACKED?

It has breached at least 95 organizations globally, according to the security firm Recorded Future.

“The real number of BlackSuit victims is likely much higher,” the firm said by email.

These were mostly American organizations in areas such as industrial goods and education, according to a blog last month by the security firm ReliaQuest.

“We have seen Russian-speaking threat actors affiliated with BlackSuit soliciting partnerships in underground forums to provide access to companies, as recently as last week,” said Goody.

HOW DOES BLACKSUIT OPERATE?

BlackSuit is known to carry out “double extortion,” which in cyber terms means it steals a victim organization’s sensitive data, locks up its systems, and also threatens to leak information.

Mandiant’s Goody said BlackSuit had provided hacking infrastructure to other smaller partner groups of cybercriminals known as "affiliates." BlackSuit provided extortion-related support to its partners, including resources to harass victims or down their websites to pressure them into paying.

(Reporting by Christopher Bing and Zeba Siddiqui; Editing by Chris Sanders and Chris Reese)

Follow us on our official WhatsApp channel for breaking news alerts and key updates!

   

Next In Tech News

To rival SpaceX’s Starship, ULA eyes Vulcan rocket upgrade
UnitedHealthcare CEO murder: How Silicon Valley protects its tech CEOs
AI with reasoning power will be less predictable, Ilya Sutskever says
How can I get Apple Intelligence on my device?
Google announces Android XR operating system for headsets and glasses
MicroStrategy secures Nasdaq-100 inclusion after bitcoin-fueled stock surge
Meta urges California attorney general to stop OpenAI from becoming for-profit, WSJ reports
Over 50 sex offenders in London arrested using facial recognition technology
Apple CEO Tim Cook to meet with Trump on Friday
US court rejects Tiktok request to temporarily halt pending US ban

Others Also Read