Apr 15, 2023

Black Basta: A Ransomware Breach of Capita Plc

The Times website has a report about the Black Basta breach of Capita Plc. Capita deny there is any evidence of data being compromised, even though details of Capita’s office floor plans leaked. Black Basta use Qakbot for entry and are monitored by security researchers, governments, and more.

CYBER_SECURITY CORONAVIRUS

Kevin Beaumont

@gossithedog@cyberplace.social on Mastodon - https://t.co/r8moXSpOva

Member of Infosec & Cybersecurity

The Times website has a report this evening about the Black Basta breach of @CapitaPlc. Capita deny there is any evidence of data being compromised.. in a story that even includes details of Capita’s office floor plans leaking. #ransomware https://t.co/RgfNoGMjYd pic.twitter.com/FUt7PKwdft
— Kevin Beaumont (@GossiTheDog) April 15, 2023
A fun fact about Black Basta is they use Qakbot for entry, which is heavily monitored by security researchers - including who is infected and when initial access was obtained.
— Kevin Beaumont (@GossiTheDog) April 16, 2023
Black Basta are also heavily monitored… including their exfil infrastructure. https://t.co/1G59Pie8Tn
— Kevin Beaumont (@GossiTheDog) April 16, 2023
Black Basta are also monitored by governments, and come up in COBRA meetings.
— Kevin Beaumont (@GossiTheDog) April 16, 2023
Black Basta take a week or two to do data exfil before attempting to encrypt.

Capita attempting to talk about just the final stage is a huge gamble that could cost them up to 4% of their total global turnover, and be the textbook example of how not to do this. Ethically poor.
— Kevin Beaumont (@GossiTheDog) April 16, 2023
“It is understood Capita has not warned individuals whose passports and driving licences have been published online by the cyber criminals.” https://t.co/sTJ9BRcFsJ
— Kevin Beaumont (@GossiTheDog) April 16, 2023
Capita “not been able to confirm” whether the files posted online were taken from its systems. They’ve been doing the rounds online for 8 days, which Capita knew about.

Some of the documents contain “Capita Confidential” watermarks, and clearly identify Capita business units.
— Kevin Beaumont (@GossiTheDog) April 16, 2023
Capita’s investor relations are emailing shareholders a statement suggesting the Black Basta data may be sourced from “public domain”. Given it includes passport scans, job applications & “Capita Nuclear” docs… 😬🫡 https://t.co/oFCWOf6Hvm pic.twitter.com/UJTWY02KrL
— Kevin Beaumont (@GossiTheDog) April 18, 2023
Correct. https://t.co/jxhVL5u5FO
— Kevin Beaumont (@GossiTheDog) April 18, 2023
Capita has a Private Investor Webinar scheduled for today, but they just rescheduled it to May 9th.

Current: https://t.co/5GBYxIQilz
Archive: https://t.co/qgnxJvOZf5 pic.twitter.com/SuEszVVH0w
— Kevin Beaumont (@GossiTheDog) April 18, 2023
Here’s The Register’s take. https://t.co/c9fU6mHtg5
— Kevin Beaumont (@GossiTheDog) April 18, 2023
Regarding El Ref’s mention of O2 - Capita supply some of their call centres, which were impacted by the “IT Incident”. https://t.co/ybIp3vjx35
— Kevin Beaumont (@GossiTheDog) April 18, 2023
I have a new blog to write for Capita, a threat intel company has found endpoints belonging to them in their Qakbot monitoring telemetry - they were infected by Black Basta's variant 11 days before Capita say the incident began.

In English, Capita had hackers inside for weeks.
— Kevin Beaumont (@GossiTheDog) April 18, 2023