Kia suffered a days-long outage affecting mobile and web-based service, which some claim to be tied to a ransomware attack. (Kia Corporation)

A days-long outage affecting mobile and web-based service calls into question Kia Corporation’s contingency planning for cybersecurity incidents, even as the company remains defiant about claims that a ransomware and data breach attack are to blame.

Members of the DopplePaymer ransomware gang have added both Kia and parent organization Hyundai Motor Company to their public leak site, and last week a ransomware note demanding a $20 million extortion payment was published in at least one prominent media report. This followed a string of reports and social media complaints detailing the disruption of key online and mobile services such as the Kia Owners Portal, UVO Mobile Apps and the Consumer Affairs Web portal.

So far, Kia and Hyundai have denied the existence of evidence that an attack has taken place – a strategy that could test the trust of its customers if the accusations are ultimately proven out. Still, some experts say it might be too early in the process to reveal everything the company knows.

Regardless of the cause of the outage, the incident calls into question the responsibility of companies offering a multitude of key consumer-facing services to create more redundancies, allowing them to continue operating even when ransomware attacks knock down their primary infrastructure.

In an official statement released last week, Kia described the unavailability of its services, including remote start and heating – important features during the deep freeze of winter – as an “extended systems outage” that began on Saturday, Feb. 13.

“We are aware of online speculation that Kia is subject to a ransomware attack. At this time, and based on the best and most current information, we can confirm that we have no evidence that Kia or any Kia data is subject to a ransomware attack,” the statement continued.

But then how does one explain the actions of the DopplePaymer gang? As noted on Monday by Brett Callow, threat analyst at Emsisoft, “Kia/Hyundai were added to the leak site at some point during the last 24 hours.”

It’s hard to imagine the leak site posting is an elaborate ruse or hoax on the part of the attackers. Is it possible there was no ransomware attack?

“It’s possible, but not probable,” said John Shier, senior security adviser at Sophos. “In my experience, most denials are either because the company still doesn’t have a firm understanding of the scope of the attack and are trying to buy some time – or because there are legal reasons to do so at the time.”

“I’m not certain what’s happening behind the scenes at Kia, but I don’t think they have an obligation to make public any details of the incident unless it affects shareholder value,” said Chris Grove, technology evangelist at Nozomi Networks. “Maybe there’s a combination of incidents. If Kia is in the midst of recovery efforts, there may be a conflict between those efforts and what statements can be made public. I’d like for them to recover, let the dust settle, and then assess their incident response.”

Of course, downtime caused by ransomware can be financially disastrous for any company, but those unable to directly interface with and respond to customers’ need via their online and mobile offerings have an especially dire need to resume normalcy as quickly as possible.

“This is an example of how disruptive ransomware can be, even for the largest organizations,” said Erich Kron, security awareness advocate at KnowBe4. “Cybercriminals… have honed their skills to create the most mayhem and disruption possible, in an effort to demand these incredibly high ransoms.”

For Kia, outage of significant IT systems, including those needed for customers to take delivery of their newly-purchased vehicles, could lead to “both a considerable amount of money as well as reputational damage with current and potential customers.”

Kia is certainly not the first to experience such headaches. In January 2020, a ransomware attack rendered Travelex unable to conduct monetary transactions via its website or app. And in July a WastedLocker encryptor attack impeded Garmin’s online services such as website functions, customer support, customer facing applications, and company communications.

For e-services and portal services like those mentioned above, is it not possible to have redundant, isolated infrastructure in place so that if the main servers are taken down by ransomware or some other cyber incident, the company can immediately switch to unaffected back-up servers rather than suffer extended outages? According to experts, it can be done, but there are financial and logistical considerations that often complicate such strategies.

“Sometimes it helps, but sometimes not,” said Grove. “First, maintaining a cold backup is expensive, and testing to ensure it will be operational when needed not only takes massive resources, but puts that secondary infrastructure at risk of being infected alongside the main production infrastructure.”

“Additionally, redundant internet connections, servers, etc. in many cases lead back to non-redundant parts, like PLCs controlling the robotics, or production control networks that may have some redundancy, but not 100% coverage. It’s rare to find redundant digital panels controlling machinery, which are sometimes running on old, outdated versions of Windows that are highly susceptible to being infected with ransomware.”

Moreover, Shier added, attackers who know what they’re doing are prepared for their victims’ using such contingencies. There are two scenarios to consider: an online and an offline redundant infrastructure.

“In the online scenario, the attackers would have taken that into account,” Shier said. “The types of criminals who breach large corporate networks, often referred to as big game hunters, are highly skilled, methodical, and patient. They will take their time to explore the network and find every important system prior to deploying the ransomware, including any backups and redundant infrastructure, and disable them.”

In the offline scenario, the criminals would have discovered this through their reconnaissance – both of the network and stolen documents – and been prepared to actively deal with any attempts to recover from the attack.

“If you don’t completely cut off their access to the network, they can override or revert any changes you make,” Shier continued. “It’s important to remember that in these types of attacks, the criminals are using credentials with the highest level of access within the network. Everything you can see and do, they can too.”

Niamh Muldoon, global data protection officer at OneLogin, said the best defense against ransomware is “a robust business continuity plan and changing the architecture to support regular security hygiene routines such as patching and regular backups, version control and thorough testing of disaster recovery procedures. Companies that leverage cloud-based storage and automatic synching from end point devices will be well-placed to recover from such attacks, but should practice the recovery procedure to minimize downtime if an attack does occur.”