The ICO report details a March 2023 BlackBasta ransomware attack on Capita that led to exfiltration of over six million individuals’ records and a £14 million fine, with systemic detection, containment, and AD privilege-management failures enabling the breach. Post-incident analysis highlights operator TTPs including credential harvesting, lateral movement using a backupadmin domain account, extensive reconnaissance, and use of tools like Rclone and SystemBC for exfiltration. #BlackBasta #Capita
Keypoints
- BlackBasta compromised Capita in March 2023, exfiltrating data for 6,024,221 data subjects and later deploying ransomware across the environment.
- Capita’s SOC missed or deprioritised critical alerts (e.g., jdmb.js P2 alert), with a 58-hour delay to isolate the initial infected device and failure to meet SLAs for alert handling.
- Threat actors escalated to and abused a privileged service account (CAPITAbackupadmin), enabling lateral movement across at least 8 domains and attempted ransomware deployment on 1,057 hosts.
- Sensitive data types stolen included passport and driver’s license scans, national insurance numbers, bank account details, biometrics, criminal record checks, and employee login details.
- Previous penetration tests had identified AD and privilege issues that were not remediated in time, contributing to the successful escalation and exfiltration.
- Operational gaps included understaffed SOC shifts, lack of automation/SOAR for rapid containment, missing AD tiering, and insufficient privileged account controls/PAM.
- Recommended mitigations: enforce measurable SLAs with automated escalation, implement AD tiering and PAM, act promptly on pentest findings, and deploy SOAR playbooks to automate containment and escalation.
MITRE Techniques
- [T1555.003 ] Credentials from Web Browsers – Used for credential theft as referenced by Qakbot’s browser credential theft capability (“Credentials from Web Browsers (specifically performed by Qakbot)”)
- [T1558 ] Steal or Forge Kerberos Tickets – Kerberos credential harvesting traces were observed after initial access (“there were traces of Kerberos credential harvesting and reconnaissance activity found following the Incident”)
- [T1041 ] Exfiltration Over C2 Channel – Data exfiltration performed using tools such as SystemBC and Rclone (“Exfiltration Over C2 Channel (performed by SystemBC and Rclone)”)
- [S0154 ] Cobalt Strike – Cobalt Strike was referenced as a likely execution path for operator PowerShell commands and reconnaissance (“PowerShell invocation (potentially via Cobalt Strike) to enumerate every system in the domain”)
- [S0650 ] Qakbot – Qakbot was referenced as part of the threat tooling linked to credential theft and initial access activity (“Qakbot – https://attack.mitre.org/software/S0650/”)
- [S0521 ] BloodHound – BloodHound-style AD reconnaissance and mapping was implied in operator activity to enumerate and map domain hosts (“net reconnaissance mapping hosts and IPs (likely to plan lateral movement, targeting, exfiltration or ransomware deployment)”), aligning with BloodHound usage for AD mapping
Indicators of Compromise
- [Domain ] Internal AD/Citrix environment observed in leaked operator chat – corpcitrix.ad.capita.co.uk
- [File name ] Initial malicious script that triggered alerts – jdmb.js
- [Account ] Privileged service account abused for lateral movement – CAPITAbackupadmin
- [File types ] Examples of stolen data file types – passport scans, driver’s license scans (evidence found in leaked data samples)
- [Tooling ] Exfiltration and C2 tools referenced – Rclone, SystemBC (and references to Qakbot and Cobalt Strike)
Read more: https://blog.bushidotoken.net/2025/10/lessons-from-blackbasta-ransomware.html