Cyber Incident Victim: Kia Motors America
Date:
Feb 2021
Location:
United States of America
Summary
Kia Motors America experienced a ransomware attack attributed to the DoppelPaymer gang, which disrupted internal networks and customer-facing services including owner portals and mobile apps. The attackers demanded $20 million in bitcoin to prevent data leaks and provide a decryption key, threatening to release exfiltrated information within weeks and increasing the ransom to $30 million if unpaid. Despite the company's public statement denying evidence of ransomware, dealerships reported operational outages linked to the incident, and a ransom note explicitly named the organization alongside Hyundai Motor America, which faced similar disruptions. The gang leveraged stolen data as additional pressure, consistent with their known tactics against previous victims.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In mid-February 2021, Kia Motors America (KMA) experienced a significant IT systems outage impacting customer-facing platforms and internal networks. The disruption began around February 15th, with dealerships reporting server unavailability that prevented vehicle deliveries and transactions. Customers attempting to access the Kia Owners Portal, UVO Mobile Apps, and Consumer Affairs Web portal encountered service interruptions. The DoppelPaymer ransomware gang claimed responsibility for the attack, leaving a ransom note demanding 404 bitcoins (approximately $20 million) for a decryptor and to prevent publication of stolen data. The note threatened to increase the demand to 600 bitcoins ($30 million) if payment was delayed and warned of data leakage within 2-3 weeks without negotiation. Forensic evidence indicated attackers exfiltrated a substantial volume of unencrypted files prior to encryption, consistent with DoppelPaymer's double-extortion tactics. The ransom payment portal referenced "Hyundai Motor America," suggesting potential targeting of affiliated entities.
Kia Motors America publicly acknowledged an ongoing IT outage but initially disputed ransomware involvement, stating they had "seen no evidence" of such an attack in communications to BleepingComputer on February 16-17. Operational impacts extended beyond digital platforms, disrupting dealership operations across KMA's network of nearly 800 U.S. locations. Hyundai Motor America concurrently experienced similar system outages, though they likewise denied confirmed ransomware compromise. The attackers leveraged DoppelPaymer's established methodology of data theft followed by encryption, with prior high-profile victims including PEMEX and Newcastle University. KMA maintained focus on restoring systems with minimal business interruption while apologizing to affected customers. No official confirmation emerged regarding data compromise extent, ransom payment, or decryption success. The incident remained under investigation as a developing story at the time of reporting.