Understanding the CDK Cyber Attack

Understanding the CDK Cyber Attack: What Happened and What Businesses Can Learn

/ Cybersecurity / By

Key Takeaways From the CDK Global Cyber Attack 

  • Massive Disruption

    On June 18, 2024, CDK Global’s systems were crippled by a ransomware attack, impacting 15,000 car dealerships in the U.S. and Canada.

  • Financial Impact

    Dealerships faced over $1 billion in losses due to operational disruptions during the two-week recovery period.

  • Ransom Demands

    The BlackSuit ransomware group initially demanded $10 million, later escalating to over $50 million. CDK also faced a second cyber attack during recovery.

  • Cybersecurity Gaps

    The attack highlighted the need for strong cybersecurity measures, regular audits, and effective incident response plans to minimize risks.

  • Broader Implications

    The attack underscores the broader implications for cybersecurity policies and best practices, emphasizing the necessity of industry-wide cooperation and proactive measures to address evolving threats posed by ransomware actors.

  • Proactive Protection

    Partnering with a trusted cybersecurity provider ensures better protection, system resilience, and regulatory compliance.

What Does CDK Do for Car Dealerships?

CDK Global offers comprehensive data and technology solutions tailored to automotive dealerships across the U.S. and Canada. Their software streamlines operations by managing various aspects of dealership functions, including car sales, service scheduling, oil changes, repairs, and more. From service advisors creating repair orders to mechanics tracking labor time and documenting repairs, CDK’s platform supports every step of the process. Additionally, dealership employees can efficiently clock in and out using CDK’s integrated software, enhancing operational efficiency. 

CDK Global Ransomware Attack: June 2024 Incident and Its Aftermath

In June 2024, CDK Global, a leading provider of software solutions for automotive dealerships, experienced a significant ransomware attack that disrupted operations across North America. The CDK attack, which began on June 18, 2024, involved the BlackSuit ransomware group infiltrating CDK’s systems, leading to widespread service outages. This attack affected approximately 15,000 car dealerships in the U.S. and Canada, forcing many to revert to manual processes for nearly two weeks. 

Compounding the situation, during the initial recovery efforts, CDK suffered a second cyber attack on June 19, 2024, further delaying system restoration. The attackers initially demanded a $10 million ransom, which escalated to over $50 million. CNN reports that on June 21, approximately 387 Bitcoin—then worth roughly $25 million—was sent to a cryptocurrency account controlled by hackers affiliated with the ransomware group BlackSuit, according to Chris Janczewski, head of global investigations at crypto-tracking firm TRM Labs. 

The breach had significant financial implications, with estimates suggesting that dealerships collectively incurred losses exceeding $1 billion due to operational disruptions. Additionally, CDK faced multiple lawsuits from affected dealerships, alleging negligence in safeguarding their systems against such attacks. The Securities and Exchange Commission has been involved in addressing the repercussions of the ransomware attack, highlighting the regulatory role of the SEC in monitoring and addressing issues stemming from cybersecurity breaches. 

By July 4, 2024, CDK announced that services had been fully restored for nearly all dealerships. The incident underscored the critical importance of robust cybersecurity measures and the potential widespread impact of cyber attacks on essential service providers. 

CDK Global Cyber Attack Timeline – June & July 2024

June 18, 2024

Initial Breach

The attack began when BlackSuit infiltrated CDK Global’s systems. CDK Global as a software vendor caters to the needs of car dealerships, providing a variety of applications for their operations. Threat actors employed various techniques to target CDK Global, encrypting critical files and disrupting CDK’s core operations and services, which affected around 15,000 auto dealerships across North America. 

June 19, 2024

Containment and System Shutdown

In response to the breach, CDK Global made the decision to shut down its IT systems on June 19 to contain the spread of the ransomware. This decision halted many dealership operations, which rely on CDK’s software for various tasks, including sales, repairs, and service management. 

June 19, 2024

Second Attack

While CDK was working on restoring its systems, a second attack occurred. The additional intrusion further complicated recovery efforts, delaying the restoration process and amplifying the disruption across affected dealerships. 

June 21, 2024

Ransom Demand

On June 21, the attackers, identified as the BlackSuit ransomware group, issued a ransom demand, initially set at around $10 million, later increasing to over $50 million. The hackers claimed responsibility for encrypting data and threatened to leak sensitive information if their demands were not met.

Undisclosed

Ransom Negotiation and Recovery

CDK Global reportedly planned to meet the ransom demands to expedite recovery. However, the exact details of negotiations and the ransom payment have not been publicly disclosed. 

Late June - Early July 2024

Restoration Efforts

CDK initiated a multi-day process to restore services, with dealerships gradually being brought back online in phases. Full restoration was completed by July 4, 2024, after a phased recovery approach. 

Throughout the attack, CDK did not disclose the full scope of the breach, including which systems were compromised, the vulnerabilities exploited, or whether sensitive customer data was stolen. The lack of transparency has raised concerns among affected dealerships and stakeholders. 

Technical Analysis on How the CDK Global Cyber Attack Likely Happen?

While specific technical details about the vulnerabilities exploited in the June 2024 cyber attack on CDK Global have not been fully disclosed, we can piece together the general methods that were likely used by the attackers, based on common tactics employed in similar ransomware attacks. 

  1. Initial Access: How Did the Hackers Get In?

It is suspected that the ransomware group BlackSuit used a combination of phishing and exploiting software vulnerabilities to gain access to CDK’s systems. Phishing, a method that targets employees with deceptive emails or messages designed to steal credentials or install malware, is a very common entry point for cybercriminals. Although CDK hasn’t confirmed this, phishing remains one of the most effective ways to compromise network security. 

Additionally, CDK’s platform is accessed by dealerships via an always-on VPN, which allows local applications to connect with CDK’s systems. If vulnerabilities were present in the VPN or other components, this would have given attackers an opportunity to gain access to the network. The compromised sensitive data poses risks of identity theft and financial fraud, highlighting the severity of the situation. 

  1. Lateral Movement: Expanding the Reach

Once inside the network, the attackers likely moved laterally across CDK’s systems. This means they used techniques like credential dumping, which involves stealing usernames and passwords stored in the system’s memory (RAM). With stolen credentials, attackers can gain access to additional systems, and exploit weak permissions to move deeper into the network. This technique helps them expand their reach and locate valuable data. 

  1. Privilege Escalation: Gaining Full Control

To maximize the damage, the attackers likely escalated their privileges, gaining higher-level permissions to control critical systems. This could have been done by exploiting unpatched software vulnerabilities or leveraging administrative privileges to move freely through CDK’s infrastructure. With full control, the attackers could further compromise systems and prepare for the encryption of files. 

  1. Payload Deployment: The Ransomware Strikes

The final stage of the attack was the deployment of the ransomware payload. Once the attackers had gained control of the systems and escalated their privileges, they encrypted key files and shut down CDK’s operations. 

While the exact technical details remain unclear, these steps align with common tactics used in ransomware attacks, which have become increasingly sophisticated and damaging. CDK Global’s recovery efforts, including dealing with the ransom demand, ultimately helped restore services after significant disruption to the automotive industry. 

What Business Can Learn from the CDK Global Cyber Attack

CDK underline the importance of preparing for the worst and implementing proactive strategies to protect against evolving cyber threats. At PSM Partners, we focus on delivering tailored IT solutions that ensure the security and continuity of your business operations. Here are several key lessons we’ve taken from the CDK breach that we apply to our own practices: 

  1. The Necessity of Robust Cybersecurity Protocols

Cyber threats continue to increase across industries, with over 2,741 data breach incidents reported in the U.S. in 2024 alone. At PSM Partners, we emphasize the importance of investing in advanced security tools, training, and regular security audits. These audits help identify weaknesses, ensure regulatory compliance, and ensure continuous monitoring to detect potential vulnerabilities early. By implementing a strong patch management procedure, we ensure that your systems stay protected against known security flaws, reducing the risk of attacks. 

  1. Developing Proactive Incident Response Plans

Having a well-defined incident response plan in place is critical. At PSM Partners, we help organizations prepare for incidents with comprehensive response and recovery strategies. A well-structured plan can significantly reduce downtime and operational disruption by detailing steps for immediate containment, clear communication channels with stakeholders, and a fast recovery process. 

  1. Data Backup and Recovery

Data backup should be a standard part of any organization’s cybersecurity strategy. Regular, secure backups—stored separate from the primary network—allow businesses to quickly recover without falling prey to ransomware demands. At PSM Partners, we ensure that your backup strategy is both secure and reliable, minimizing the impact of any cyber attack. 

  1. Third-Party Risk Management

Partnering with third-party vendors introduces additional risk, especially if their cybersecurity practices are not up to par. At PSM Partners, we emphasize the importance of thorough vendor assessments, ensuring that all third-party partners comply with stringent security standards and best practices. Before partnering with any vendor, we help clients assess their security protocols, certifications, and overall cybersecurity maturity to safeguard their interconnected systems. 

  1. Employee Education and Training

A major attack vector is often human error, which is why continuous cybersecurity training is crucial. At PSM Partners, we prioritize training for all staff, not just IT professionals, to recognize phishing attempts and other social engineering tactics. Educating employees on data protection and best practices is one of the most effective ways to reduce the likelihood of a successful breach. 

  1. Clear and Transparent Communication Channels

Effective communication is vital during a cyber incident. CDK’s lack of centralized updates on their breach led to confusion and frustration. PSM Partners helps businesses establish clear, transparent communication channels to provide timely updates to customers, stakeholders, and regulatory bodies. Regular updates help manage expectations, maintain trust, and ensure that everyone is informed of recovery efforts. 

  1. Partner with a Trusted Cybersecurity Provider

As cyber threats evolve, partnering with an experienced cybersecurity provider ensures that you are always prepared. PSM Partners works with trusted experts who provide latest threat intelligence and risk management strategies, helping our clients stay ahead of potential risks. We ensure compliance with key regulations, while safeguarding sensitive data and systems from unauthorized access or leaks. 

By collaborating with a cybersecurity partner like PSM Partners, you gain access to a wealth of resources and expertise. Our tailored cybersecurity solutions help protect your business, reduce risks, and keep you compliant—ensuring the safety and longevity of your operations. 

 Not sure where to start? We’ve got you covered! Get a free cybersecurity assessment and uncover potential vulnerabilities in your security—no cost, no obligation. Know where you stand and take the first step toward stronger protection today! 

Free Cybersecurity Assessment
Contact Us

About the Author

Picture of Ryan Williams
Ryan Williams

Ryan Williams is the Practice Director of Professional Services at PSM Partners, where he leads a team of skilled cloud engineers in delivering innovative technology solutions. With 26 years of Microsoft technology experience—including expertise in Azure, Security, and Microsoft 365—Ryan brings a strategic approach to cloud solutions and business partnerships.

Related Insights

Together, we make it happen

Tell Us About Your Project.

Don’t hesitate to reach out. Our specialists are ready to help transform your business. 

Let’s talk

Phone

(312) 940-7830

Contact Form
X

(Managed Services, Cloud Services, Consulting, Cybersecurity, Talent)

What is 7+4?