Explainer-The 'BlackSuit' hacker behind the CDK Global attack hitting US car dealers

SAN FRANCISCO (Reuters) - A hack into software maker CDK Global has disrupted operations at auto dealerships across the U.S., the latest in a series of hacks where ransom-demanding cybercriminals target big companies by breaching behind-the-scenes software suppliers.

CDK makes software that is commonly used by car dealerships to process sales and other transactions. In light of the hack, many dealers have started processing transactions manually, according to local press reports.

Here is more about BlackSuit, the hacking group analysts say is behind the CDK hack:

WHO/WHAT IS BLACKSUIT?

Not much is known about the group, but it emerged in May 2023. Analysts say it is a relatively new cybercriminal team spun off of an older and well-known Russia-linked hacking group named RoyalLocker.

RoyalLocker mostly hacked American companies and was a formidable hacker group borne out of another prolific gang named Conti. Royal was likely the third most persistent ransomware group after LockBit and ALPHV, according to analysts.

Yet, BlackSuit is not as aggressive as the others. The number of victims it lists on its data leak site suggests it does not have as many hacking partners as larger ransomware gangs, said Kimberly Goody, head of cybercrime analysis at Mandiant Intelligence.

“The majority of BlackSuit victims have been overwhelmingly based in the U.S., followed by the U.K. and Canada and span a wide range of sectors,” she said.

HOW MANY ORGANIZATIONS HAS BLACKSUIT HACKED?

It has breached at least 95 organizations globally, according to the security firm Recorded Future.

“The real number of BlackSuit victims is likely much higher,” the firm said by email.

These were mostly American organizations in areas such as industrial goods and education, according to a blog last month by the security firm ReliaQuest.

“We have seen Russian-speaking threat actors affiliated with BlackSuit soliciting partnerships in underground forums to provide access to companies, as recently as last week,” said Goody.

HOW DOES BLACKSUIT OPERATE?

BlackSuit is known to carry out “double extortion,” which in cyber terms means it steals a victim organization’s sensitive data, locks up its systems, and also threatens to leak information.

Mandiant’s Goody said BlackSuit had provided hacking infrastructure to other smaller partner groups of cybercriminals known as "affiliates." BlackSuit provided extortion-related support to its partners, including resources to harass victims or down their websites to pressure them into paying.

(Reporting by Christopher Bing and Zeba Siddiqui; Editing by Chris Sanders and Chris Reese)