In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack.
BHI Energy, part of Westinghouse Electric Company, is a specialty engineering services and staffing solutions provider supporting private and government-operated oil & gas, nuclear, wind, solar, and fossil power generation units and electricity transmission and distribution facilities.
In a data breach notification sent by BHI Energy to impacted people, the company provides detailed information on how the Akira ransomware gang breached its network on May 30, 2023.
The attack first started by the Akira threat actor using the stolen VPN credentials for a third-party contractor to access BGI Energy's internal network.
"Using that third-party contractor's account, the TA (threat actor) reached the internal BHI network through a VPN connection," reads the
data breach notification.
"In the week following initial access, the TA used the same compromised account to perform reconnaissance of the internal network."
The Akira operators revisited the network on June 16, 2023, to enumerate data would be stolen. Between June 20 and 29, the threat actors stole 767k files containing 690 GB of data, including BHI's Windows Active Directory database.
Finally, on June 29, 2023, having stolen all data they could from BHI's network, the threat actors deployed the Akira ransomware on all devices to encrypt files. This was when BHI's IT team realized the company had been compromised.
The firm says they immediately informed law enforcement and engaged with external experts to help them recover the impacted systems. The threat actor's foothold on BHI's network was removed on July 7, 2023.
The company says it was able to recover data from a cloud backup solution that hadn't been affected by the ransomware attack, so they were able to restore their systems without paying a ransom.
Additionally, BHI bolstered its security measures by imposing multi-factor authentication on VPN access, performing a global password reset, extending the deployment of EDR and AV tools to cover all sections of its environment, and decommissioning legacy systems.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
