Best Guesses for Data Breach Perpetrators

Pieter Arntz, malware analyst at Malwarebytes, suspects CDK needed more time to analyze the initial breach before taking further action.

“The most interesting point about the attack on CDK Global is that it was hit a second time while still recovering from the first attack. If I had to guess how it happened, my thought would be that CDK restored systems too quickly. Many companies will set systems back to a restore from an earlier date, but attackers can afford to linger on a system for long periods of time. Restoring systems from, say, a week ago is often not far enough. But again, this is guesswork, and we’ll learn more in the coming weeks,” Arntz says.

Andy Thompson, offensive cybersecurity research evangelist at CyberArk, wonders whether BlackSuit is the only threat actor involved in the pair of breaches.

“One thought to consider is if there were multiple threat actors involved, which is often the case. We saw this play out in the RNC hack back in 2020, where multiple nation-state threat actors (from the same country) were embedded in the RNC networks, unbeknownst to each other! If that was the case here, there often comes a time when one threat actor strikes first and forces the hand of the other to either execute their own end-game or bow out empty-handed. This potentially sounds like one of those situations. Rather than leaving empty-handed, a second attack could have been executed by the remaining threat actor,” Thompson says.

Dror Liwer, co-founder of cybersecurity company Coro, suggests how the breach might have happened in the first place.

“Within the 3,400 car dealerships Coro defends, in the last 12 months, more than 62 million phishing attempts were thwarted. That’s an average of 16 attempts per month per employee,” Liwer says.

In other words, maybe our take on the Verizon DBIR report is depressingly accurate.