Black Basta Cyber Gang Targets UK’s Southern Water, Leaks Sensitive Data

The prominent British firm Southern Water, responsible for water supply and sewage treatment across southern England, including Hampshire, the Isle of Wight, West and East Sussex, as well as parts of Kent, was subjected to a cyberattack.

On January 24, 2024, the hacker group Black Basta announced on its website the breach of Southern Water’s computer networks and the theft of confidential data amounting to 750 gigabytes. The stolen information includes personal documents of employees (passports and IDs) as well as internal corporate details.

The perpetrators threatened to release the stolen data on February 29 unless a ransom was paid. The amount of the ransom remains undisclosed. As proof of the hack, the hackers posted screenshots of some of the pilfered files.

UNC5221

Black Basta specializes in extortion and blackmail. It has been active since April 2022, targeting large companies worldwide. During this time, according to estimates from experts at Elliptic and Corvus Insurance, the criminals have earned over 107 million dollars in bitcoins, breaching no fewer than 329 organizations, including corporations such as ABB, Capita, Dish Network, and Rheinmetall.

The group employs a double extortion model: first encrypting the victim’s data and then, if payment is refused, publishing a portion of the stolen information. Analyzing Bitcoin blockchain transactions, experts have established a close link between Black Basta and the hacker group Conti, which disbanded in 2022. It is presumed that Black Basta is merely a rebranding.

The primary channel for laundering the stolen funds for Black Basta is the Garantex cryptocurrency exchange. It is through this exchange that the hackers convert bitcoins into fiat money.

In December 2023, researchers from SRLabs conducted a detailed analysis of the encryption algorithm used by Black Basta. They discovered a significant flaw that allows for the recovery of encrypted files under certain conditions.

Depending on the file size, the virus encodes only the first 5,000 bytes. Files smaller than this cannot be recovered. However, materials ranging from 5,000 bytes to 1 GB can be fully decrypted if 64 bytes of plaintext are known in a specific segment.

Based on this information, special tools were created to help victims recover encrypted information if the attack occurred before December 2023. Unfortunately, shortly after the study was published, the hackers corrected the vulnerability in their virus.

The incident with Southern Water marked Black Basta’s first high-profile attack in 2024, utilizing an already modified version of the malicious software. The company now faces a difficult decision: to succumb to the extortionists’ demands or to seek an alternative solution to the predicament. The outcome of this incident will demonstrate the effectiveness of Black Basta’s enhanced tools.