Black Basta names nearly a dozen Australian companies in data leak

The Black Basta ransomware gang has followed through on its threat to release more than 700 gigabytes of data belonging to more than a dozen Australian companies.

According to the hackers, the companies themselves were not hacked but rather a cloud hosting service they all have in common. Black Basta has yet to reveal which cloud service was its victim.

Initially, Black Basta claimed to have data belonging to 12 Australian companies and one UK garden outlet, Primrose. A screenshot, however, showed a file directory with just seven folders labelled ACS, ATM, AW, LB, OHS, ONC, and WF, presumable standing for some of the companies originally listed: Advanced Catering Systems, Australian Textile Mills, Aus Weave, The Local Bar, Optimum Health Services, and Wilson Fabrics.

The folder labelled ONC appears to refer to Optimum Allied Health, according to the documents within; however, the files all appear to be placeholders, not the actual listed files. There is also a folder called Public that has a seemingly random selection of documents belonging to a Sydney property developer.

However, some of the names listed by Black Basta originally – such as that UK garden supplier (Primrose) and the IT outfit Xen Technologies – appear to be missing from the final dump, though it must be said that it takes a while to go through 700 gigabytes of data, especially when it’s poorly hosted online. Others, like Optimum Allied Health, were not even mentioned in the initial leak post.

Given the number of passports and other ID documents that belonged to employees of Optimum Health Services, we reached out to them specifically for comment on the incident.

“We are aware an unknown third party has named us online, alongside claims that it has published data it alleges was taken from our IT environment,” a spokesperson for Optimum Health Services told Cyber Daily.

“With the support of external cyber security and privacy experts, we are now working to determine if these claims have any merit.”

VIEW ALL

The spokesperson also noted that this incident is the second hack the healthcare provider has suffered in the last 12 months and that the data is likely the same as that previously reported by Cyber Daily in August of last year when the Rhysida ransomware gang published 186 gigabytes of Optimum’s data.

“We have reason to believe that if this data does come from our systems, it relates to a cyber incident that we responded to last year. We notified impacted individuals and provided them with support and guidance as part of that response,” Optimum’s spokesperson said.

“If our investigation finds any additional personal information, we will work to support those impacted in line with our commitment to protecting the privacy of our stakeholders.”

However, an analysis of the data leaked just this week by Black Basta suggests that this incident is a separate one. Some documents in the current leak were last modified in February 2024, well after the Rhysida incident.

Going back to that 2023 Rhsyida leak does reveal some interesting connections, though. While Black Basta’s hack does seem to be legitimate, the Rhsyida hack also impacted some of the companies listed in Black Basta’s hack. Among the data belonging to Optimum Health Solutions is a folder called CPSM-File-Sharing, which is the same name as a folder in the Black Basta data dump.

More curiously, many of the folders in that one are identical to those leaked by Black Basta. The Local Bar, Advanced Catering Systems, Wilson Fabrics, and more are all there, and all with the same files and folders listed. The directory also contains a folder called Upper Mgmt, which does belong to Optimum Health Services.

Other folders, however, are missing from the Rhysida version of the CPSM-File-Sharing folder.

So what is going on?

Who’s been hacked?

Clearly, the two hacks are linked, as they involve similar, yet different, data sets. The fact that data belonging to other companies was originally leaked alongside Optimum’s in the Rhysida hack last year provides a link, as does the fact that Black Basta used data from that previous leak – namely passports and other ID documents – to advertise this new one.

In fact, those passports do not appear to be in Black Basta’s dataset at all. The scans all appear identical to those leaked by Rhysida, so it’s possible that Black Basta was using previously leaked data to make this new leak look juicier and more damaging.

So far, only Optimum Health Services has responded to our inquiries, and while it does appear that a hosting service is involved, no one has yet been able to confirm the service that’s been targeted – including Optimum. Even more curious is the fact that Black Basta references several other companies as being impacted – such as IT service provider Xen Technologies – but we cannot find any data belonging to them in the final leak.

Our investigation is ongoing, and if any of the mentioned parties have information that can assist, please email us at [email protected]

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.