Enlarge/ Vehicles for sale at an AutoNation Honda dealership in Fremont, California, US, on Monday, June 24, 2024.
Getty Images
After “cyber incidents” on June 19 and 20 took down CDK Global, a software-as-a-service vendor for more than 15,000 car dealerships, forum and Reddit comments by service tech workers and dealers advised their compatriots to prepare for weeks, not days, before service was restored.
That sentiment proved accurate, as CDK Global last expected to have “all dealers’ connections” working by either July 3 or 4, roughly two weeks’ time. Posts across various dealer-related subreddits today suggest CDK’s main services are mostly restored, if not entirely. Restoration of services is a mixed blessing for some workers, as huge backlogs of paperwork now need entering into digital systems.
Bloomberg reported on June 21 that a ransomware gang, BlackSuit, had demanded “tens of millions of dollars” from CDK and that the company was planning to pay that amount, according to a source familiar with the matter. CDK later told its clients on June 25 that the attack was a “cyber ransom event,” and that restoring services would take “several days and not weeks.” Allan Liska, with analyst Recorded Future, told Bloomberg that BlackSuit was responsible for at least 95 other recorded ransomware breaches around the world.
Lisa Finney, senior manager for external communications at CDK, told Ars on Monday that the firm had no additional information to provide about the attacks, service restoration, or plans for dealers preparing against future attacks.
During the outage, many dealerships pivoted from all-in-one software platforms to pens, paper, Excel sheets, phone calls, and, in some cases, alternative local software. Car Dealership Guy rounded up some of the dealerships’ work-arounds. Repair part numbers, hours, and partial VIN numbers were being tracked in Excel. Lots of dealers grabbed the last contracts they had on hand, blanked out customer information, and made editable PDFs out of them.
Lots of dealers and service managers advocated preparing for the next outage with “no Internet days.” Others noted that the steps some dealerships were taking, like using their own phones for contacting sales leads, could run afoul of privacy and “Do not call” provisions.
Anderson Economic Group, a Michigan-based auto analyst, estimated that CDK’s shutdown cost auto dealers more than $600 million over a two-week period. CDK’s outage is expected to play a large part in a June car sales slump.
This story was originally published by ProPublica.
Investigating how the world’s largest software provider handles the security of its own ubiquitous products.
After Russian intelligence launched one of the most devastating cyber espionage attacks in history against US government agencies, the Biden administration set up a new board and tasked it to figure out what happened—and tell the public.
State hackers had infiltrated SolarWinds, an American software company that serves the US government and thousands of American companies. The intruders used malicious code and a flaw in a Microsoft product to steal intelligence from the National Nuclear Security Administration, National Institutes of Health, and the Treasury Department in what Microsoft President Brad Smith called “the largest and most sophisticated attack the world has ever seen.”
But for reasons that experts say remain unclear, that never happened.
Nor did the board probe SolarWinds for its second report.
For its third, the board investigated a separate 2023 attack, in which Chinese state hackers exploited an array of Microsoft security shortcomings to access the email inboxes of top federal officials.
A full, public accounting of what happened in the Solar Winds case would have been devastating to Microsoft. ProPublica recently revealed that Microsoft had long known about—but refused to address—a flaw used in the hack. The tech company’s failure to act reflected a corporate culture that prioritized profit over security and left the US government vulnerable, a whistleblower said.
The board was created to help address the serious threat posed to the US economy and national security by sophisticated hackers who consistently penetrate government and corporate systems, making off with reams of sensitive intelligence, corporate secrets, or personal data.
For decades, the cybersecurity community has called for a cyber equivalent of the National Transportation Safety Board, the independent agency required by law to investigate and issue public reports on the causes and lessons learned from every major aviation accident, among other incidents. The NTSB is funded by Congress and staffed by experts who work outside of the industry and other government agencies. Its public hearings and reports spur industry change and action by regulators like the Federal Aviation Administration.
So far, the Cyber Safety Review Board has charted a different path.
The board is not independent—it’s housed in the Department of Homeland Security. Rob Silvers, the board chair, is a Homeland Security undersecretary. Its vice chair is a top security executive at Google. The board does not have full-time staff, subpoena power or dedicated funding.
Silvers told ProPublica that DHS decided the board didn’t need to do its own review of SolarWinds as directed by the White House because the attack had already been “closely studied” by the public and private sectors.
“We want to focus the board on reviews where there is a lot of insight left to be gleaned, a lot of lessons learned that can be drawn out through investigation,” he said.
As a result, there has been no public examination by the government of the unaddressed security issue at Microsoft that was exploited by the Russian hackers. None of the SolarWinds reports identified or interviewed the whistleblower who exposed problems inside Microsoft.
By declining to review SolarWinds, the board failed to discover the central role that Microsoft’s weak security culture played in the attack and to spur changes that could have mitigated or prevented the 2023 Chinese hack, cybersecurity experts and elected officials told ProPublica.
“It’s possible the most recent hack could have been prevented by real oversight,” Sen. Ron Wyden, a Democratic member of the Senate Select Committee on Intelligence, said in a statement. Wyden has called for the board to review SolarWinds and for the government to improve its cybersecurity defenses.
In a statement, a spokesperson for DHS rejected the idea that a SolarWinds review could have exposed Microsoft’s failings in time to stop or mitigate the Chinese state-based attack last summer. “The two incidents were quite different in that regard, and we do not believe a review of SolarWinds would have necessarily uncovered the gaps identified in the Board’s latest report,” they said.
The board’s other members declined to comment, referred inquiries to DHS or did not respond to ProPublica.
In past statements, Microsoft did not dispute the whistleblower’s account but emphasized its commitment to security. “Protecting customers is always our highest priority,” a spokesperson previously told ProPublica. “Our security response team takes all security issues seriously and gives every case due diligence with a thorough manual assessment, as well as cross-confirming with engineering and security partners.”
The board’s failure to probe SolarWinds also underscores a question critics including Wyden have raised about the board since its inception: whether a board with federal officials making up its majority can hold government agencies responsible for their role in failing to prevent cyberattacks.
“I remain deeply concerned that a key reason why the Board never looked at SolarWinds—as the President directed it to do so—was because it would have required the board to examine and document serious negligence by the US government,” Wyden said. Among his concerns is a government cyberdefense system that failed to detect the SolarWinds attack.
Silvers said while the board did not investigate SolarWinds, it has been given a pass by the independent Government Accountability Office, which said in an April study examining the implementation of the executive order that the board had fulfilled its mandate to conduct the review.
The GAO’s determination puzzled cybersecurity experts. “Rob Silvers has been declaring by fiat for a long time that the CSRB did its job regarding SolarWinds, but simply declaring something to be so doesn’t make it true,” said Tarah Wheeler, the CEO of Red Queen Dynamics, a cybersecurity firm, who co-authored a Harvard Kennedy School report outlining how a “cyber NTSB” should operate.
Silvers said the board’s first and second reports, while not probing SolarWinds, resulted in important government changes, such as new Federal Communications Commission rules related to cell phones.
“The tangible impacts of the board’s work to date speak for itself and in bearing out the wisdom of the choices of what the board has reviewed,” he said.
As health systems around the US are still grappling with an unprecedented ransomware attack on the country’s largest health care payment processor, the US Department of Health and Human Services is opening an investigation into whether that processor and its parent company, UnitedHealthcare Group, complied with federal rules to protect private patient data.
As Ars reported previously, the attack was disclosed on February 21 by UHG’s subsidiary, Optum, which now runs Change Healthcare. On February 29, UHG accused the notorious Russian-speaking ransomware gang known both as AlphV and BlackCat of being responsible. According to The Washington Post, the attack involved stealing patient data, encrypting company files, and demanding money to unlock them. The result is a paralysis of claims processing and payments, causing hospitals to run out of cash for payroll and services and preventing patients from getting care and prescriptions. Additionally, the attack is believed to have exposed the health data of millions of US patients.
Earlier this month, Rick Pollack, the president and CEO of the American Hospital Association, called the ransomware attack on Change Healthcare “the most significant and consequential incident of its kind against the US health care system in history.”
Now, three weeks into the attack, many health systems are still struggling. On Tuesday, members of the Biden administration met with UHG CEO Andrew Witty and other health industry leaders at the White House to demand they do more to stabilize the situation for health care providers and services and provide financial assistance. Some improvements may be in sight; on Wednesday, UHG posted an update saying that “all major pharmacy and payment systems are up and more than 99 percent of pre-incident claim volume is flowing.”
HIPAA compliance
Still, the data breach leaves big questions about the extent of the damage to patient privacy, and the adequacy of protections moving forward. In an additional development Wednesday, the health department’s Office for Civil Rights (OCR) announced that it is opening an investigation into UHG and Change Healthcare over the incident. It noted that such an investigation was warranted “given the unprecedented magnitude of this cyberattack, and in the best interest of patients and health care providers.”
In a “Dear Colleague” letter dated Wednesday, the OCR explained that the investigation “will focus on whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.” HIPAA is the Health Insurance Portability and Accountability Act, which establishes privacy and security requirements for protected health information, as well as breach notification requirements.
In a statement to the press, UHG said it would cooperate with the investigation. “Our immediate focus is to restore our systems, protect data and support those whose data may have been impacted,” the statement read. “We are working with law enforcement to investigate the extent of impacted data.”
The Post notes that the federal government does have a history of investigating and penalizing health care organizations for failing to implement adequate safeguards to prevent data breaches. For instance, health insurance provider Anthem paid a $16 million settlement in 2020 over a 2015 data breach that exposed the private data of almost 79 million people. The exposed data included names, Social Security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information. The OCR investigation into the breach discovered that the attack began with spear phishing emails that at least one employee of an Anthem subsidiary fell for, opening the door to further intrusions that went undetected between December 2, 2014, and January 27, 2015.
“Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information,” OCR Director Roger Severino said at the time. “We know that large health care entities are attractive targets for hackers, which is why they are expected to have strong password policies and to monitor and respond to security incidents in a timely fashion or risk enforcement by OCR.”
Enlarge/ A service center for “Kyivstar”, a Ukrainian telecommunications company, that provides communication services and data transmission based on a broad range of fixed and mobile technologies.
Getty Images
Ukrainian civilians on Wednesday grappled for a second day of widespread cellular phone and Internet outages after a cyberattack, purportedly carried out by Kremlin-supported hackers, hit the country’s biggest mobile phone and Internet provider a day earlier.
Two separate hacking groups with ties to the Russian government took responsibility for Tuesday’s attack striking Kyivstar, which has said it serves 24.3 million mobile subscribers and more than 1.1 million home Internet users. One group, calling itself Killnet, said on Telegram that “an attack was carried out on Ukrainian mobile operators, as well as on some banks,” but didn’t elaborate or provide any evidence. A separate group known as Solntsepek said on the same site that it took “full responsibility for the cyberattack on Kyivstar” and had “destroyed 10,000 computers, more than 4,000 servers, and all cloud storage and backup systems.” The post was accompanied by screenshots purporting to show someone with control over the Kyivstar systems.
In the city of Lviv, street lights remained on after sunrise and had to be disconnected manually, because Internet-dependent automated power switches didn’t work, according to NBC News. Additionally, the outage prevented shops throughout the country from processing credit payments and many ATMs from functioning, the Kyiv Post said.
The outage also disrupted air alert systems that warn residents in multiple cities of incoming missile attacks, a Ukrainian official said on Telegram. The outage forced authorities to rely on backup alarms.
“Cyber specialists of the Security Service of Ukraine and ‘Kyivstar’ specialists, in cooperation with other state bodies, continue to restore the network after yesterday’s hacker attack,” officials with the Security Service of Ukraine said. “According to preliminary calculations, it is planned to restore fixed Internet for households on December 13, as well as start the launch of mobile communication and Internet. The digital infrastructure of ‘Kyivstar’ was critically damaged, so the restoration of all services in compliance with the necessary security protocols takes time.”
Kyivstar suspended mobile and Internet service on Tuesday after experiencing what company CEO Oleksandr Komarov said was an “unprecedented cyberattack” by Russian hackers. The attack represents one of the biggest compromises on a civilian telecommunications provider ever and one of the most disruptive so far in the 21-month Russia-Ukraine war. Kyivstar’s website remained unavailable at the time this post went live on Ars.
According to a report by the New Voice of Ukraine, hackers infiltrated Kyivstar’s infrastructure after first hacking into an internal employee account.
Solntsepek, one of two groups taking responsibility for the attack, has links to “Sandworm,” the name researchers use to track a hacking group that works on behalf of a unit within the Russian military known as the GRU. Sandworm has been tied to some of the most destructive cyberattacks in history, most notably the NotPetya worm, which caused an estimated $10 billion in damage worldwide. Researchers have also attributed Ukrainian power outages in 2015 and 2016 to the group.
