Unmasking Cyber Threats: Exploring the Dark Realities of the Capita Ransomware Attack

Our recent blog documented the enormous impact of a cyber ransomware attack on Capita, which has continued to affect the data and violate the privacy of thousands of UK consumers and businesses handling secure and sensitive information. Cited as one of the most significant known impacts on UK businesses and consumers, in this blog, we’ll dive more in-depth into the criminals behind this attack. We’ll also offer insight into how this happened and what smaller to medium businesses can do to protect themselves from this kind of event.

Questionable Motivations

Those responsible for oversight of the UK’s cyberspace, such as the National Crime Agency (NCA), are reporting the rise of cyber attacks targeted at businesses rather than individuals. And the impact is getting more severe. Cyber attackers are no longer just “lone wolves” but have joined with others to form groups with differing motivations and ideologies.

The original lone hacker, typified by the teenager in the bedroom, sees attacking businesses and governments as a game and challenges themselves to increasingly develop extreme skills, resulting in access to highly sophisticated systems, including secure government and defence networks.

One 16-year-old, purported ring-leader of the UK group Lapsus$, took down Microsoft. Another British teenager was arrested in 2019 after successfully hacking into Cloud accounts holding songs from some of the world’s best-known musical artists.

The rise of hacktivist campaign groups, such as Anonymous, is driven by social beliefs or political or religious affiliations. Their motivations are typically to target government agencies and to inflict damage or cause embarrassment rather than to steal data. They, too, may create disruption but impact businesses to a lesser extent.

Cyber attack groups that use the most sophisticated means of attack are generally believed to be state-sponsored. Black Basta is a Russian-speaking group and typically targets English-speaking countries in the “Five Eyes” defence community. Because of this, the group is believed to have an underlying political agenda. Capita is one of those organisations that support the fabric of British society heavily behind the scenes, as do many outsourced service providers and businesses that handle public information and process data on behalf of government bodies and agencies.

Who was behind this attack?

The difficulty in detection is that the distinction between nation-states and criminal groups is becoming increasingly blurred, making it harder to attribute cyber crime to specific groups. The NCA acknowledges that Russian language criminals operating ransomware as a service are responsible for the most high-profile cybercrime attacks experienced against the UK.

Black Basta (also known as ‘BlackBasta’) is a well-known ransomware group. Newly formed in 2022, they have rapidly become one of the most active known threat groups, attacking businesses in multiple countries such as the US, Japan, Canada, the UK, Australia and New Zealand. Being financially motivated, with the intent to gain as much money as they can, they use what’s known as a “double extortion technique.” This means that once they have infiltrated a company’s IT system and stolen high-quality data, they encrypt it so that it cannot be used by the company they have attacked and then threaten to publish or sell the data for a ransom of millions of pounds.

Black Basta claimed responsibility for this most recent attack and began advertising the data it had stolen from Capita’s IT system network. With a high level of sophistication in their attack methods and a reluctance to recruit or promote on Dark Web forums, many cyber attack watchers and analysts believe that Black Basta is either made up of members of another known criminal group or just a rebrand of the Russian-speaking group “Conti,” and could be linked to other Russian-speaking cyber threat groups. It appears that both groups use similar tactics and techniques.

How Do They Do It?

The details of Black Basta’s attack have not been made public. However, we can draw some conclusions. Like most cyber attacks, a seizure usually begins through human error. Typically, through a phishing email, Black Basta will gain initial systems access via a link embedded in a malicious document. Usually, this link arrives via email in a password-protected zip file.

Businesses must be aware that simple human errors, often through carelessness rather than maliciously, can result in catastrophic damage. For example, employees away on business connecting to unsecured Wi-Fi networks can make it easier for cyber attackers to access systems. Using the same password on multiple sites on both work and personal devices is another central area of vulnerability. Missing phishing emails while working in haste or lacking reinforcement training may have initiated this attack. IT Managers and CISOs need multiple layers of protection, such as training, awareness, and processes, to enable staff to safely perform regular operational duties to contain any potential threat. Insider threat is another vulnerability, and when an employee leaves under bad terms, there must be protections in place to prevent any unexpected breaches of company data, passwords, or critical processes.

In Capita’s case, staff initially reported that correct passwords were being rejected when they tried to log into its Microsoft Office 365 suite of applications. A vulnerability within

Microsoft Active Directory, which holds details of every user account on the network, is believed to have been targeted so that users could neither login nor change their passwords. Mass text messages were sent to Capita staff telling them not to log into corporate IT systems, but many of those messages still needed to be received.

What is the Active Directory Vulnerability 2023?

CVE-2023-21676 is a recently detected vulnerability in part of the Lightweight Directory Access Protocol (LDAP) system. Access enables attackers to execute code remotely onto Windows Server installations and gain System privileges, the highest user access level in Windows. The vulnerability affects all currently supported versions of Windows servers and clients.

In June 2023, Microsoft announced that it had acted against this zero-day vulnerability and provided a security patch.

What Should Companies be Aware of?

It is critical to review all layers of process, training, and security protocols and ensure company-wide awareness of the risks of cyber attacks. In practical and immediate terms and to effectively reduce the risks associated with this specific vulnerability, IT security staff should immediately apply the Microsoft patch issued on April 11, 2023.

In addition, Thrive recommends the following security best practices to mitigate the threat significantly:

1. Regularly assess IT systems to identify vulnerabilities and misconfigurations.
2. Ensure you patch and upgrade operating systems, firmware and applications.
3. Have a policy of multi-factor authentication (MFA) and phishing protection.
4. Train staff with simulated attack scenarios and ensure that processes are in place to report to the internal cybersecurity team promptly.

Thrive can advise, audit, and suggest how your IT security policy and procedures shape up to acceptable risk standards.

Contact Thrive today to discuss how we can reduce your risk of a cyber attack.