HQ/EMEAFind out how we can help your business
US energy services company BHI Energy has revealed the method by which the Akira ransomware group breached its system, resulting in data theft.
BHI Energy, affiliated with Westinghouse Electric Company, is a specialised provider of engineering services and staffing solutions for private and government-operated entities in the oil & gas, nuclear, wind, solar, fossil power generation, and electricity transmission and distribution sectors.
In the data breach notification, BHI Energy comprehensively explained how the Akira ransomware gang compromised its network on May 30, 2023.
BHI Energy emphasised that the Akira ransomware operators used one of their third-party contractors to acquire initial access.
According to BHI Energy, the data breach attack against them started when the Akira ransomware group used stolen VPN credentials from a third-party contractor to gain entry into their internal network.
The threat actors used the compromised account for internal network reconnaissance over the week. The Akira operators then returned to the network on June 16, 2023, intending to identify data for theft.
Between June 20 and 29, the threat actors managed to steal approximately 767,000 files, totalling 690 gigabytes of data, which included BHI’s Windows Active Directory database.
On June 29, 2023, the ransomware group exfiltrated all available data from BHI’s network and deployed the Akira ransomware across all devices to encrypt the files. This instance is when the BHI’s IT team discovered the compromise.
The company quickly contacted law enforcement and employed third-party security services to assist them in addressing the attack. The issue concluded on July 7, 2023, after they successfully removed the threat actors from their networks.
BHI Energy reports that they restored their systems from an unaffected cloud backup solution, avoiding paying ransom. Furthermore, this energy company assured everyone that they had strengthened their security measures by implementing multi-factor authentication for VPN access, conducting a global password reset, extending the deployment of Endpoint Detection and Response (EDR) and antivirus (AV) tools to cover all areas of their environment, and decommissioning legacy systems.
The Akira ransomware group have announced the possible disclosure of data owned by BHI. On the other hand, the company included instructions on enrolling in their two-year identity theft protection service in the data breach notifications.
