Full Report
Black Basta chat logs reveal threat intel, Termite ransomware leaks patient data on the dark web, and Ghostwriter targets Belarusian opposition.
Analysis Summary
# Incident Report: Data Theft, Extortion, and Espionage Activities
## Executive Summary
This summary covers three distinct security incidents involving data theft/extortion operations by cybercriminals (including the arrest of a prolific data thief), a ransomware attack resulting in a major patient data leak, and a targeted espionage campaign leveraging malware-laced documents against Ukrainian and Belarusian opposition entities. These incidents highlight diverse threats including data exfiltration for extortion, data exfiltration/encryption via ransomware, and state-sponsored cyber espionage utilizing social engineering.
## Incident Details
- **Discovery Date:** Varies; specific discovery dates not always provided, but arrests and public disclosures occurred recently.
- **Incident Date:** Varies (e.g., Data thief active since 2020; Genea attack in late January [year not specified, assumed recent]).
- **Affected Organization:** Multiple organizations globally (by data thief), Genea (Australia), Ukrainian government/military, Belarusian opposition activists.
- **Sector:** General (Data Thief), Healthcare/Fertility Services (Genea), Government/Defense/Activism (Espionage).
- **Geography:** Global (Asia-Pacific, Europe, North America), Australia, Ukraine, Belarus.
## Timeline of Events
### Initial Access
- **Date/Time:** Data thief active since 2020; Genea attack in late January; Espionage campaign recent.
- **Vector:** Data thief: SQL injection, vulnerable RDP servers. Termite: Exploited Citrix server. Ghostwriter/Espionage: Malware-laced Excel documents delivered via phishing (e.g., Google Drive hosted RAR archives).
- **Details:** Data thief deployed Cobalt Strike after gaining access. Termite targeted a Citrix server, gaining access to file servers, domain controllers, and patient management systems. Ghostwriter used Macropack-obfuscated VBA macros and .NET downloaders.
### Lateral Movement
- **Data Thief:** Implied movement to exfiltrate 13TB of data over several years.
- **Termite:** Moved from the exploited Citrix server to critical systems including the primary file server, domain controller, and patient management system.
- **Espionage:** Deployed PicassoLoader payloads, leading to second-stage malware execution (e.g., deployment of a .NET DLL named `LibCMD`).
### Data Exfiltration/Impact
- **Data Thief:** Exfiltrated over 13TB of data from 90+ organizations. Used threats of reputational damage, contacting media/regulators, and direct customer contact. In rare cases, encrypted databases.
- **Termite:** Stole 700GB, later 940.7GB of sensitive patient data (names, contact info, health details, medical histories) from Genea, exfiltrating it to a DigitalOcean server. Also engaged in extortion and encryption.
- **Espionage:** Focused on cyber espionage and information manipulation against government/opposition targets.
### Detection & Response
- **Data Thief:** Arrested in Bangkok through a joint operation by Thai and Singaporean police with Group-IB assistance.
- **Termite/Genea:** Genea disclosed the attack and is working with the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC).
- **Espionage:** Activity observed and analyzed by security researchers (e.g., SentinelLABS team).
## Attack Methodology
| Category | Data Thief / Extortionist | Termite Ransomware | Ghostwriter / Espionage |
| :--- | :--- | :--- | :--- |
| **Initial Access** | SQL injection, vulnerable RDP | Exploitation of Citrix server | Phishing (Malware-laced Excel documents) |
| **Persistence** | Implied (Cobalt Strike deployment) | Implied | Use of PicassoLoader payloads |
| **Privilege Escalation** | Not explicitly detailed | Gained access to Domain Controller | Not explicitly detailed |
| **Defense Evasion** | Not explicitly detailed | Not explicitly detailed | Obfuscation (Macropack, ConfuserEx) |
| **Credential Access** | Not explicitly detailed | Not explicitly detailed | Not explicitly detailed |
| **Discovery** | Implied (Surveying targets) | Gained access to file server, patient management system | Targeting government/opposition infrastructure |
| **Lateral Movement** | Implied | Moved to file server, domain controller | Deployed second-stage malware |
| **Collection** | Exfiltration of 13TB data | Stealing 700GB - 940.7GB patient data | Collection focused on intelligence gathering |
| **Exfiltration** | Data leaks, notifying media/regulators | Exfiltration to DigitalOcean cloud server | Information manipulation/espionage |
| **Impact** | Extortion attempts, reputational damage | Data leak, data encryption (in some operations) | Spreading anti-NATO narratives, cyber espionage |
## Impact Assessment
- **Financial:** Data thief leveraged threats for financial gain; Black Basta built $107M BTC worth. Termite/Genea impact is implied through extortion efforts.
- **Data Breach:** Data thief: >13TB from 90+ organizations. Genea: 940.7GB of sensitive patient PII/PHI.
- **Operational:** Genea systems (File server, DC, PMS) were compromised. Black Basta experienced internal conflict leading to member defections.
- **Reputational:** Data thief pressured victims by notifying media/regulators. Genea faced public disclosure of sensitive patient data theft.
## Indicators of Compromise
**Note:** IOCs are defanged as per instructions.
- **Network Indicators:**
- Black Basta primary vectors: SMB misconfigurations, exposed RDP servers.
- Data Thief used Cobalt Strike post-initial access.
- Termite exfiltrated data to a generic cloud server (DigitalOcean).
- **File Indicators:**
- Ghostwriter/Espionage: Macropack-obfuscated VBA macros, .NET downloaders, PicassoLoader payloads.
- Ghostwriter deployed a .NET DLL named `LibCMD`.
- **Behavioral Indicators:**
- Deployment of malware via trusted document types (Excel).
- Pressure tactics involving contacting media and regulators.
- Internal conflicts within threat groups (Black Basta).
## Response Actions
- **Containment:** Joint operation by Thai and Singaporean Police to arrest the data thief (Chia). Genea is working with ACSC and OAIC.
- **Eradication:** Arrest of the data thief represents a major step in eradicating this specific threat vector.
- **Recovery:** Genea advised patients to watch for identity theft scams; ongoing investigation with authorities.
## Lessons Learned
- **Adversarial Leaks Provide Value:** Leaks of internal chats (Black Basta) offer valuable intelligence on group structures, instability, and tactics, aiding tailored countermeasures.
- **Diverse Extortion Tactics:** Attackers leverage not just encryption but public shaming (media/regulators) and direct victim customer contact to maximize pressure.
- **State-Sponsored Techniques Remain Consistent:** Ghostwriter campaign continues to blend hacking with information manipulation, using established malware families (e.g., VBA macros).
## Recommendations
- **RDP/SMB Hardening:** Immediately audit and secure all Remote Desktop Protocol (RDP) and Server Message Block (SMB) services, enforcing strong credentials and network restrictions (as indicated by Black Basta TTPs).
- **Patch and Harden Internet-Facing Assets:** Prioritize patching SQL services and implementing strong access controls or MFA on all externally facing services, especially VPN/Remote Access solutions like Citrix (per Termite TTPs).
- **Spear-Phishing Defense:** Enhance employee training, especially against lures disguised as official documents delivered via cloud storage/email (per Ghostwriter TTPs), ensuring robust macro security policies are enforced.