Full Report
BT Group said it had detected “an attempt to compromise” its conferencing platform after the Black Basta ransomware group claimed on its darknet leak site to have obtained the company's corporate data.
Analysis Summary
# Incident Report: Black Basta Ransomware Attempt Against BT Group
## Executive Summary
The British telecoms giant BT Group confirmed an attempted cyberattack in December 2024, initially claimed by the Black Basta ransomware group. The attackers successfully compromised specific elements of the BT Conferencing platform, leading to the potential exfiltration of corporate data, including employee information. BT contained the incident by rapidly isolating and taking the affected servers offline, resulting in no impact to live BT Conferencing services or other core business operations.
## Incident Details
- **Discovery Date:** On or around December 4th, 2024 (when BT confirmed the incident following the gang's claim).
- **Incident Date:** Unspecified, occurred prior to the public confirmation on December 4th, 2024.
- **Affected Organization:** BT Group (British Telecoms giant).
- **Sector:** Telecommunications.
- **Geography:** United Kingdom (UK).
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to December 4th, 2024.
- **Vector:** Unknown, but attributed to the Black Basta ransomware group.
- **Details:** Attackers achieved compromise of specific elements within the BT Conferencing platform infrastructure.
### Lateral Movement
- Details are not specified in the provided text, but the attackers likely moved within the targeted segment of the platform to access sensitive data.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Black Basta claimed to have obtained corporate data, including personal information relating to employees, non-disclosure agreements, and other sensitive corporate documents.
- **Impact on Services:** The impacted servers did *not* support live BT Conferencing services, which remained operational. No other BT Group or customer services were affected.
### Detection & Response
- **How it was discovered:** The attack was publicly revealed when the Black Basta group posted claims and evidence of the compromise on its darknet leak site.
- **Response actions taken:** BT rapidly took the affected servers offline and isolated them. They are actively investigating the incident and coordinating with relevant regulatory and law enforcement bodies.
## Attack Methodology
- **Initial Access:** Claimed to be executed by Black Basta (specific vector unknown).
- **Persistence:** Not specified.
- **Privilege Escalation:** Not specified.
- **Defense Evasion:** Not specified.
- **Credential Access:** Not specified.
- **Discovery:** Not specified.
- **Lateral Movement:** Observed within the scope of the targeted conferencing platform elements.
- **Collection:** Gained access to employee personal information, NDAs, and corporate data.
- **Exfiltration:** Data was exfiltrated and subsequently posted as evidence on Black Basta's leak site.
- **Impact:** Data was stolen, generating a public claim by the threat actor.
## Impact Assessment
- **Financial:** No public estimate provided.
- **Data Breach:** Confirmed compromise of employee personal information and sensitive corporate data (NDAs).
- **Operational:** Minimal operational impact reported; specific conferencing servers were isolated, but live services remained fully operational. Core infrastructure was reportedly unimpacted.
- **Reputational:** Potential reputational damage due to the public nature of the disclosure via a ransomware gang leak site.
## Indicators of Compromise
- **Network indicators:** None provided (URLs/IPs are typically defanged in full reports, but none were explicit here).
- **File indicators:** None provided.
- **Behavioral indicators:** Activity consistent with a Black Basta ransomware operation targeting a corporate system.
## Response Actions
- **Containment measures:** Rapid isolation and decommissioning of the specific servers hosting the compromised system elements.
- **Eradication steps:** Under investigation; likely involves thorough scanning and remediation of the isolated conferencing platform segment.
- **Recovery actions:** Services on unaffected systems continued as normal. Recovery focuses on the isolated platform elements.
## Lessons Learned
- The use of third-party platforms (conferencing services) remains a viable entry point for ransomware operations like Black Basta.
- The speed of the threat actor in broadcasting the breach (via leak site) necessitated a rapid public confirmation from BT.
## Recommendations
- Comprehensive security audit of all third-party integration points, especially business-critical platforms like conferencing services.
- Review and enhance segmentation between core corporate network infrastructure and ancillary services to prevent any potential spillover, even if initial impact seems limited.
- Review incident response communication plans, specifically addressing how to respond immediately to verified threat actor claims on darknet sites versus traditional discovery mechanisms.