Cyberattack on Software Company Disrupts Car Dealerships

Thousands of car dealers across North America have been forced to revert to pen and paper after a software company they rely on was hit by several cyber attacks last week. The outage has not only caused delays and inconveniences for customers, but has also raised major questions about whether sensitive data was compromised. William Brangham joins us now. William, tell us more about this company.

Jeff, the company that was hit was called CDK Global, and they provide internal software systems for about 15,000 different car dealerships in America and Canada for all their internal computer systems. We spoke with one dealer in the greater Philadelphia area.

We’re writing everything by pen and paper and by hand, but we can’t go into our backend systems and see what the actual warranty costs are on things or what things are actually going to cost. It’s a manual process now that takes a lot longer, especially in service. And then when we talk about the sales part of it, that gets even crazier because that has a lot of compliance components such as credit, your red flags, your OFACs, and all of those things which integrate into CDK.

Since very little has been publicly said about who hacked this system, whether the attackers are demanding a ransom and when the system might return to normal, we thought it’s a good idea to check in with someone who could help us understand what is going on. Chris Krebs used to run the Federal Government’s Lead Cybersecurity agency, and he’s now Chief Intelligence and Public Policy Officer at SentinelOne. Chris Krebs, welcome back to the NewsHour. Can you give us your best understanding of what’s actually going on here?

William, thanks for having me on. So this is unfortunately part of a larger surge in ransomware attacks on US businesses that we’ve seen recently. You might remember a couple months ago we had UnitedHealthcare and Change Healthcare hit by a ransomware event. This is just another string in this Eastern European and Russian criminal gangs that are hitting US businesses. My understanding is that CDK was hit last week. They tried to restore operations. There was subsequently hit by a second attack. That is not unusual. In fact, we see that quite often as organizations try to rush back and hurry back to getting operations back up and running. So now they are in the process of containing, which means trying to get the ransomware operators out of their network and get safe, secure operations back up to support their customers.

So this is not an attack on what we would call critical infrastructure. I mean, car dealerships, if car sales are slow, it’s bad if the economy, but they will eventually pick back up again. So this is your indicating suggest that these are criminals who have done this because they’re trying to squeeze money out of the company. Is that right?

Absolutely. And the unfortunate part of all of this is that the amounts that are being demanded by these cyber criminals is only increasing. We’re seeing millions, if not tens of million dollars of demands. Now, we don’t have official numbers on what this group may have demanded from CDK just yet, but it has been 20 to 30 million in the average lately. And yeah, you know what? This might not be critical infrastructure, but it sure does affect us. It affects someone that’s trying to go out there and get a new vehicle if their old vehicle broke down. So it’s unfortunately part of a bigger mental attack on the United States and our people.

I know that there’s a lot of debate over whether or not paying these ransoms is a good idea. Where do you come down on that argument?

I think the unfortunate reality is that paying only benefits the attacker, it rewards them. And that’s why the United States is getting disproportionately affected by ransomware. Yes, you have cybersecurity incidents in Europe, in the United Kingdom and elsewhere, but because we pay at a higher clip here in the US, the bad guys are coming here and they’re hitting our businesses pretty hard.

(04:13)
I would suggest though that we think about this at a higher level where this is not just some random cyber criminals. There is a geopolitical element to ransomware as well where it fits into Russia and the Kremlin’s bigger strategy to attack the West, to attack the United States so that we’re talking about this tonight on TV, so that we’re experiencing this, we’re being inconvenienced, we’re scared of more and more cyber attacks. So ultimately this does, I believe, play into Putin’s overall strategy.

Given the amount of these ransomware attacks as you’ve been describing, what is going on here? Is it just that this is a very hard thing to defend against or are companies not taking this that seriously? What is the weak link here?

Well, it’s a combination of factors. I talk about the three-legged stool of ransomware. First is that businesses continue to manage their enterprise, their networks in a way that’s unfortunately not entirely secure that gives the bad guys an opportunity to come in. And sometimes it’s not their own fault. It’s the products or services that companies are using that are vulnerable and therefore subject to exploitation.

(05:27)
The second really is the monetization of these vulnerable and misconfigured networks. The bad guys have figured out that they can use cryptocurrency to hold at Ransom American and other companies. They can pull value out and take it to places where the third leg of the stool where they can’t be held accountable, and that’s many times Eastern Europe and Russia. So what are we going to do about this? We need more aggressive responses by law enforcement and by the national security apparatus, which we have seen an uptick. We’ve seen the US government and the United Kingdom government go after a group known as LockBit and take them offline. We need more and more of that.

All right, Chris Krebs of SentinelOne, always good to see you. Thanks so much.

Thanks so much, William.