BHI Energy, a popular name in the US energy services sector, has chosen transparency over secrecy in revealing the details of a ransomware breach carried out by the notorious Akira group.
What Does BHI Energy Do?
Before we dive into the details of the breach, it's important to understand what BHI Energy represents.
Part of the renowned Westinghouse Electric Company, BHI Energy specializes in providing engineering services and staffing solutions. Their support spans across a wide spectrum, including private and government-operated entities within the domains of oil & gas, nuclear, wind, solar, and fossil power generation units, as well as electricity transmission and distribution facilities.
Related Article: FBI Most Wanted Russian Hacker 'Wazawaka' Unfazed by US Sanctions, Claims 'Better' Life
US Energy Firm Reveals How Akira Data Breach Happened
Akira Ransomware Hack
In an unprecedented move towards transparency, BHI Energy disclosed how the Akira ransomware operation infiltrated their networks. The breach occurred on May 30, 2023, and the firm promptly notified the affected parties, offering a detailed account of the attack.
The Akira threat actors initiated the attack by leveraging stolen VPN credentials from a third-party contractor, the data breach notification indicates.
Using this compromised account, they gained access to BHI Energy's internal network through a VPN connection. In the week that followed, the threat actors conducted extensive reconnaissance within the internal network.
Data Exfiltration
On June 16, 2023, the Akira operatives returned to the network to identify data for theft, per Bleeping Computer. Between June 20 and 29, they exfiltrated a staggering 767,000 files, totaling 690 GB of data. Notably, this trove included BHI's critical Windows Active Directory database.
The final blow occurred on June 29, 2023, when the threat actors executed the Akira ransomware across all devices, encrypting files. BHI Energy's IT team only became aware of the breach at this point.
Responding promptly, BHI Energy informed law enforcement and enlisted external experts to aid in system recovery. By July 7, 2023, the threat actors' foothold in the network was eradicated. The company managed to restore its systems from an unaffected cloud backup, avoiding the need to pay a ransom.
Learning from the incident, BHI Energy fortified its security posture. They implemented multi-factor authentication for VPN access, conducted a global password reset, expanded the deployment of EDR and AV tools across their environment, and decommissioned legacy systems.
While BHI Energy successfully regained control of its systems, the breach exposed the personal information of employees. An investigation concluded on September 1, 2023, identified the stolen data, which included full names, birthdates, Social Security Numbers (SSN), and health information.
At the time of writing, the Akira ransomware group had not disclosed BHI Energy's data on their dark web extortion portal. The situation continues to be monitored closely.
Protecting Affected Parties
To mitigate the impact on affected individuals, BHI Energy offered instructions on enrolling in a two-year identity theft protection service through Experian.
The Hacker News reported that Microsoft Defender has helped the authorities thwart the "large-scale remote encryption attempt" launched by cybercriminals behind the Akira ransomware attack.
