Kia is currently facing a significant challenge. As reported earlier today, the automaker’s online services seem to be disconnected, preventing customers from starting their vehicles remotely through Kia’s apps or accessing the company’s financing website to make payments. This situation has raised suspicions of a possible cyberattack, with ransomware being a likely culprit, a theory which has been supported by a recent report.
A report from the information security news outlet Bleeping Computer reinforces this possibility, sharing a screenshot of an alleged ransom note demanding $20 million from Kia to decrypt its files.
The reported attack is believed to be linked to a group known as DoppelPaymer, identified by Crowdstrike researchers in 2019. These types of threat actors often target large companies for significant payouts, according to a security bulletin from the FBI released late last year. The ransom note mentions that the malware not only encrypted real-time data, but also the company’s backups, an advanced tactic that makes recovery more difficult.
Adding to the situation, the note indicates that a substantial amount of data has been exfiltrated and threatens to release it within three weeks. While the specific data taken remains unclear, the note claims it includes a “huge amount,” suggesting that the attackers may have accessed a wide range of Kia’s online services. In simple terms, these attackers appear to have stolen significant data from Kia’s systems and blockaded access to certain internal resources.
After several attempts to contact Kia, The Drive finally received a response from a spokesperson who acknowledged that Kia is “experiencing an extended systems outage,” but did not specify the cause. The spokesperson minimized the allegations of a ransomware attack reported by Bleeping Computer.
“Kia Motors America, Inc. is currently experiencing an extended systems outage,” the spokesperson stated in an email to The Drive. “Affected systems include the Kia Owners Portal, UVO Mobile Apps, and the Consumer Affairs Web portal. We apologize for any inconvenience to affected customers and are working to resolve the issue as quickly as possible with minimal disruption to our business.”
The spokesperson further added: “We are also aware of online speculation that Kia is subject to a ‘ransomware’ attack. At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a ‘ransomware’ attack.”
Nevertheless, the report from Bleeping Computer refers to detailed communications from the alleged attackers. They reportedly used a Protonmail email for correspondence and created a page on Tor, an encrypted platform that ensures anonymity, which includes a chat function for assistance in making ransom payments. As of this writing, the hackers were demanding 404.5412 Bitcoin, approximately $20.9 million. The ransom note warns that if the payment is delayed, the amount will increase, potentially reaching 600 Bitcoin ($31 million) if the automaker fails to comply within nine days.
Screenshots of these ransom notes have been shared by Bleeping Computer, and can be viewed here. It is essential to note that DoppelPaymer is the same type of malware responsible for the data breach at Visser, a defense contractor that supplies parts for both Tesla and SpaceX, last year.
Meanwhile, Kia’s crucial connected services remain unavailable, leaving customers unable to pay car loans, remotely start vehicles, or access other functionalities reliant on Kia’s systems. Numerous dealerships are also experiencing disruptions. One dealership acknowledged the presence of malware and reported an inability to process customer orders or access detailed information related to vehicle issues.
While Kia maintains that there is no evidence of a cyberattack, the data revealed points toward a different conclusion. This situation presents a significant headache for the automaker, especially during a challenging time when many Kia owners are unable to remotely unlock or warm up their vehicles amid a severe winter storm affecting much of the country this week.
.
