Description

BHI Energy, a US energy services firm associated with Westinghouse Electric Company, has revealed the specifics of the Akira ransomware attack that compromised their network and resulted in data theft. In a data breach notification sent to impacted individuals, it was disclosed that the breach took place on May 30, 2023, with the Akira threat actor using stolen VPN credentials from a third-party contractor to access BHI Energy's internal network. Following their initial network breach, the threat actor embarked on a week of reconnaissance. On June 16, 2023, Akira operators revisited BHI Energy's network to pinpoint data for theft. Between June 20 and 29, they successfully exfiltrated 767,000 files, totaling 690 GB, including BHI's Windows Active Directory database. On June 29, 2023, the threat actors deployed Akira ransomware, encrypting files on all devices, prompting BHI's IT team to realize the extent of the breach. In response, BHI promptly notified law enforcement and enlisted external experts to aid in system recovery. By July 7, 2023, the threat actor's foothold on BHI's network was eliminated. Fortunately, BHI was able to recover data from an unaffected cloud backup solution, enabling system restoration without succumbing to ransom demands. Additionally, BHI has reinforced its security measures, implementing multi-factor authentication for VPN access, conducting a global password reset, extending the deployment of EDR and AV tools across its environment, and decommissioning legacy systems. However, despite system recovery, personal information of employees was compromised, including full names, dates of birth, social security numbers (SSNs), and health information. As of the latest update, Akira ransomware has not disclosed or announced the theft of BHI's data on the dark web. Additionally, breach notices contain guidance on enrolling in a two-year identity theft protection service provided by Experian.