BHI Energy Offers Insights into their Breach from Akira

Category: Ransomware News | Industries: Business Services, Energy | Source: BHI

DescriptionThe BHI Energy company owned by Westinghouse Electric Company, disclosed a security incident the company had faced from the Akira ransomware gang. As detailed in the company's data security incident notice, an investigation with a cybersecurity company traced the incident back to May 30th, 2023 during which the ransomware gang utilized compromised VPN credentials from a third party to obtain access. "Using that third-party contractor’s account, the TA reached the internal BHI network through a VPN connection. In the week following initial access, the TA used the same compromised account to perform reconnaissance of the internal network," as shared in the notice.

The Akira ransomware actors conducted their intrusion sporadically, resuming activity on June 16th to identify and collect data, with data staging beginning on June 18th. Akira's intrusion ended on June 29th, 2023, resulting in data encryption and the theft of 690GBs of data which includes approximately 767,000 files and the company's Windows Active Directory database. BHI Energy was not aware of the incident until June 29th upon encountering the encrypted data prompting an investigation with a cybersecurity company and contacting law enforcement.

Also noted in the advisory, the threat actor wasn't expelled from the network until around July 7th, 2023 during which, BHI Energy deployed their EDR and antivirus solution. BHI Energy was able to utilize backup data stored in their unaffected cloud environment to restore their data and implemented new security measures such as multi-factor authentication (MFA) on their VPN service. Lastly, BHI Energy identified the compromise of personal information on September 1st, 2023 including full names, dates of birth, social security numbers, and possibly health information as well.