A newly leaked trove of internal chat logs has exposed how the Black Basta ransomware gang leverages data broker info to research and target their victims.
Black Basta is a notorious Russian-language ransomware group responsible for hundreds of cyberattacks on critical infrastructure and businesses worldwide. Known for its aggressive tactics, Black Basta has targeted major organizations, including U.S. healthcare provider Ascension, U.K. utility company Southern Water, and British outsourcing firm Capita. Recently, a massive leak of the group’s internal chat logs has provided new insights into their operations, including their use of data broker info in targeting organizations.
The leak, which includes over 200,000 messages spanning from September 2023 to September 2024, exposes details about key members of the ransomware gang and their methods. One of these revelations is Black Basta’s reliance on data brokers for attack reconnaissance. The leaked logs contain 380 unique links to company information hosted on ZoomInfo, a well-known data broker that aggregates and sells business and employee information. These links indicate that Black Basta members actively used ZoomInfo to research potential targets and facilitate their attacks.
This is not an isolated case. Threat intelligence from Okta Security has previously revealed that the cybercriminal group Scatter Swine harvests mobile phone numbers from data brokers that link employee phone numbers to specific organizations. This data was used in the large-scale credential harvesting attacks of the infamous 0ktapus campaign in 2022, which compromised nearly 10,000 credentials across 130 organizations. In that campaign, attackers utilized mass smishing attacks to lure employees to spoofed websites designed to steal their login information.
These cases highlight a significant and ongoing security risk: the widespread availability of sensitive employee and organizational data through data brokers. This information is the fuel for executing highly targeted phishing, smishing, and credential-stuffing attacks.
Organizations must recognize that their external attack surface extends beyond traditional security perimeters. Effective cybersecurity strategies must include proactive measures to remove or minimize exposure from data broker sites. In doing so, companies can significantly reduce their risk of being targeted by ransomware groups like Black Basta and social engineering campaigns like 0ktapus.
