Executive Summary
On the 31st of March at 2:00pm, The Times reporter, Katie Prescott, published an article speculating on fears the UK outsourcing company Capita had been hit by a cyber-attack. Capita had previously issued a statement saying they are aware of a technical issue, but at this stage, did not answer whether it was a data breach. Employees at the company reported being denied access and had been informed via text message not to attempt access or submit password recovery requests.
Over the next 2 weeks, Capita continued to release press statements confirming the IT issue was in fact a cyber-attack but boasting their impressive response, swift decision making and stating their response is a “blueprint for others to follow”.
Subsequently, on April 17th, the Black Basta ransomware gang claimed responsibility for the Capita hack by publishing example data in the public domain. Following this development, Capita took nearly a week to confirm that data was in fact stolen and that they had suffered a data breach. Investigators believe the ransomware gang had achieved access and exfiltrated data as early as March 22nd, over 1 week before Capita were made aware and published any statement leading to many citing the attack and response effort as an example of what not to do due to Capita’s lack of transparency and clarity to staff, investors and the public over the events which have occurred.
Attack Summary
At 4:00 AM on the 31st March, Capita computer systems went offline with many staff unaware until they tried to log on at 7am. At this time, employees received a text from the company at explaining that there was a company-wide IT problem and requested that users do not try to access the VPN or submit password recovery requests. Capita issued an public update stating that it was aware of an IT issue affecting computer systems but did not think it was a cyber-attack.
Capita reported the issue was primarily impacting access to internal Microsoft Office 365 applications and that although it caused disruption to some services provided to individual clients, the majority of their client services remained in operation. After initially blaming an IT issue, on the 3rd April, Capita confirmed they experienced a cyber incident but claimed that no evidence of customer, supplier or colleague data compromise had been observed. From this point until the data was published, no further updates were released.
2 weeks later, on the 17th April, the Russian linked Black Basta ransomware group publicly claimed responsibility for the attack by posting Capita, as well as stolen passport photos, BACS payments lists and more, onto their dark web leak site. No information on the ransom demand had been made public, however, this now confirmed that the previously stated IT issue, was a direct result of a ransomware incident.
Whilst no confirmation on whether Capita have paid the ransom demand has been issued, the Black Basta gang have since removed Capita and the associated evidence from its public listings leading speculation to believe, Capita at the very least have entered into negotiations with the hackers.
Conclusions
Throughout the incident, Capita’s public statements have been sparse and untruthful leading to criticism on their lack of transparency and response efforts. As one of the United Kingdom’s largest outsourcers, supporting much of the country’s critical infrastructure and data, Capita’s customers, staff and investors have all been awaiting confirmation that their data and systems are unaffected. Capita’s initial statements to the press that the problems are an IT issue, even going as far as to say the issue is resolved, have fuelled speculation and distrust with the company, indicated by the markets 10% drop in their share price following Black Basta’s publication.
The incident has shown not just the importance of technical controls and containment functionality in a cyber-attack, but also the critical role of marketing, legal, public and investor relations teams in ensuring transparent, concise and correct communications can be issued and helping retain public image.
Recommendations
The following actions are recommended for preventing and detecting a Black Basta ransomware attack:
- Ensure regular user awareness training is undertaken on identify and responding to phishing emails, especially those containing malicious attachments
- Block unnecessary file types on email filtering such as executables and ISOs
- Prevent end users from mounting new drives which are commonly used by adversaries to bypass malware protection filters
- Enable Tamper protection, anti-virus and EDR software and include monitoring for attempts to disable its functionality
- If not in use in the environment, monitor for AnyDesk, AteraAgent and Splashtop remote support tools being installed and used by attackers
- Monitor for indicators of CobaltStrike, Mimikatz and Qakbot as common initial access and post exploitation frameworks used by multiple threat actors
- Ensure EDR signatures are regularly updated and, if not configured, automated responses are enabled to quarantine and mitigate threats
- Create and regularly test incident response procedures and playbooks for containing and eradicating an incident
- Prepare template communications for staff, investors and the public when dealing with an incident so that all publications remain consistent
References
Double Pulsar, https://doublepulsar.com/black-basta-ransomware-group-extorts-capita-with-stolen-customer-data-capita-fumble-response-9c3ca6c3b283
HHS, https://www.hhs.gov/sites/default/files/black-basta-threat-profile.pdf
Kroll, https://www.kroll.com/en/insights/publications/cyber/black-basta-technical-analysis
The Times, https://www.thetimes.co.uk/article/capita-hit-by-it-breakdown-amid-fears-of-cyberattack-glxtvnm72