In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack.
BHI Energy, part of Westinghouse Electric Company, is a specialty engineering services and staffing solutions provider supporting private and government-operated oil & gas, nuclear, wind, solar, and fossil power generation units and electricity transmission and distribution facilities.
In a data breach notification sent by BHI Energy to impacted people, the company provides detailed information on how the Akira ransomware gang breached its network on May 30, 2023.
The attack first started by the Akira threat actor using the stolen VPN credentials for a third-party contractor to access BGI Energy's internal network.
"Using that third-party contractor's account, the TA (threat actor) reached the internal BHI network through a VPN connection," reads the data breach notification.
"In the week following initial access, the TA used the same compromised account to perform reconnaissance of the internal network."
The Akira operators revisited the network on June 16, 2023, to enumerate data would be stolen. Between June 20 and 29, the threat actors stole 767k files containing 690 GB of data, including BHI's Windows Active Directory database.
Finally, on June 29, 2023, having stolen all data they could from BHI's network, the threat actors deployed the Akira ransomware on all devices to encrypt files. This was when BHI's IT team realized the company had been compromised.
The firm says they immediately informed law enforcement and engaged with external experts to help them recover the impacted systems. The threat actor's foothold on BHI's network was removed on July 7, 2023.
The company says it was able to recover data from a cloud backup solution that hadn't been affected by the ransomware attack, so they were able to restore their systems without paying a ransom.
Additionally, BHI bolstered its security measures by imposing multi-factor authentication on VPN access, performing a global password reset, extending the deployment of EDR and AV tools to cover all sections of its environment, and decommissioning legacy systems.
Data exposed in the attack
While BHI was able to recover its systems, the threat actors could steal data containing employees' personal information.
An investigation concluded on September 1, 2023, indicates that the following data was stolen:
- Full name
- Date of birth
- Social Security Number (SSN)
- Health information
At the time of writing this, Akira ransomware has not leaked any data belonging to BHI on its extortion portal on the dark web, and neither have the cybercriminals announced BHI in their upcoming data leaks.
The data breach notices enclose instructions on enrolling in a two-year identity theft protection service through Experian.
Comments
deltasierra - 6 months ago
Wow, that is transparent! It sure is appreciated is it reinforces all the things that everyone should be doing and to have some ammo to get budgets, projects, and plans approved as security isn't cheap and certainly requires skilled labor and full top-down company commitment to a strong security culture.
You heard it again, folks: implement enforced MFA for any RAVPN access that your organization uses, or even consider going to a full ZTNA solution.
With their AD database being compromised, this sets them up for easier access and lateral movement in future attacks, even with global password resets, AD hygiene improvement, etc. And is everyone occasionally rotating their krbtgt password and making sure that account stays disabled??
https://www.stigviewer.com/stig/windows_server_2016/2019-01-16/finding/V-91779#:~:text=If%20the%20%22PasswordLastSet%22%20date%20is,old%2C%20this%20is%20a%20finding.&text=Reset%20the%20password%20for%20the,reduces%20the%20risk%20of%20issues