Capita customer data was stolen in March ransomware attack

Public sector outsourcer Capita has confirmed that some confidential data was stolen from a small proportion of its server estate affected by a Black Basta ransomware attack in March 2023.

The incident caused major IT outages and significant impact to customer-facing services at many public sector bodies and some operators of critical national infrastructure (CNI) across the UK, with staff left unable to take calls from members of the public and others falling back on traditional pen and paper.

The cyber attack was subsequently claimed by the Black Basta ransomware crew, which listed Capita on its dark web leak site and published documents that seem to have been stolen from its systems, including client information.

The purloined data is alleged to include personally identifiable information (PII) on teaching job applicants for a number of schools in Sheffield, payment details for clients of Capita Business Services’ Capita Nuclear unit, and internal floor plans.

Capita now believes the ransomware operator first gained unauthorised access on Saturday 22 March and was present in its systems for a week before being discovered and ejected on Friday 31 March.

“As a result of the interruption, the incident was significantly restricted, potentially affecting around 4% of Capita’s server estate,” a Capita spokesperson said in a statement.

“There is currently some evidence of limited data exfiltration from the small proportion of affected server estate, which might include customer, supplier or colleague data.

“Capita continues to work through its forensic investigations and will inform any customers, suppliers or colleagues that are impacted in a timely manner.

“Capita continues to comply with all relevant regulatory obligations,” the spokesperson said.

Since the incident, Capita and its technical partners have successfully restored internal access to Microsoft Office 365, and the affected client services, which are understood to have been a small proportion of the total, have been mostly restored.

An investigation by specialist cyber security advisors and a forensics team is ongoing to provide assurance around the data breach. However, Capita has not yet formally acknowledged the ransomware attack.

The organisation’s stock has dropped significantly since Black Basta first claimed the attack, although it is currently stable.

Black Basta first emerged in spring 2022 and has become one of the most prominent human-operated, double-extortion ransomware-as-a-service (RaaS) operations.

Typically, it arrives via zip files attached to phishing emails, which deploy the Qakbot trojan to establish initial access. It then deploys the legitimate Cobalt Strike post-exploitation framework for command and control and system discovery, and conducts lateral movement using remote desktop protocol (RDP) and PSexec prior to executing the ransomware.

The locker itself is coded in C++ and is capable of attacking both Windows and Linux systems, encrypting data quickly in small chunks, which enables it to do more damage before triggering defences.

Researchers tracking the operation have seen multiple similarities to other prominent gangs in Black Basta’s approach to malware development, leak sites and communications, which have prompted speculation that the group may be composed of former members of the Conti and REvil operations, or at the very least has been heavily inspired by them.

Links have also been posited to the FIN7 threat actor – which is thought to run the BlackCat/ALPHV gang – thanks to similarities in their endpoint detection and response evasion techniques and overlapping IP addressed used for command and control.

Leave a Reply

Your email address will not be published. Required fields are marked *