US Energy Firm Shares How Akira Ransomware Hacked its Systems

Cyber Security Threat Summary:
In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack. BHI Energy, part of Westinghouse Electric Company, is a specialty engineering services and staffing solutions provider supporting private and government-operated oil & gas, nuclear, wind, solar, and fossil power generation units and electricity transmission and distribution facilities”.

BHI issued a data breach notification to impacted victims, and provided details about how the Akira ransomware group breached their networks back in May of this year. An Akira threat actors began using stolen VPN credentials for a third-party contractor, which they used to access BGI Energy’s internal network. After confirming the initial connection, the threat actors used the same compromised account to perform reconnaissance of the internal network. It wasn’t until June 16, 2023 that the threat actor returned to enumerate data to be stolen. Between June 20-29, the threat actor stole nearly 800k files containing 700 GBs of data, including BHI’s Windows Active Directory database. Finally, on June 29, 2023, after stealing all data they could from BHI's network, the threat actors deployed the Akira ransomware on all devices to encrypt files. It was only then that BHI's IT team realized the company had been compromised. The firm says they immediately informed law enforcement and engaged with external experts to help them recover the impacted systems. The threat actor's foothold on BHI's network was removed on July 7, 2023.

Security Officer Comments:
Fortunately for BHI, they were able to recover their data from a cloud backup solutions that was unaffected by the ransomware attack. Some ransomware strains have been known to target cloud-based backup solutions as well. Because they were able to recover, BHI was able to avoid paying a ransom. Since the attack, BHI says it has increased several security measures, specifically imposing multi-factor authentication on it’s VPN access, performing a global password reset, extending the deployment of EDR and AV tools to cover all sections of its environment, and decommissioning legacy systems.

While BHI was able to recover it’s systems, threat actors still stole sensitive employee information which could be used against them in extortion attacks. Akira has yet to leak any data belonging to BHI on their extortion portal on the dark web.

An investigation concluded on September 1, 2023, indicates that the following data was stolen:

  • Full name
  • Date of birth
  • Social Security Number (SSN)
  • Health information
Once again, we see a third-party contractor responsible for a high-profile data breach. Organizations should be careful providing access to outside entities. The principle of least privilege should be applied, so contractors only have access to the data required for them to complete their assignments. Multi-factor authentication should be applied whenever possible, as usernames and passwords are commonly stolen. Once work has been completed by a third-party contractor, a process should be in place to suspend or remove that access immediately. Lingering access credentials can create an access point with limited visibility.

Suggested Correction(s):
On top of the security controls I highlighted above, organizations should evaluate their partners via third-party risk assessments. Third-party risk assessments are essential evaluations conducted by organizations to assess and mitigate potential risks associated with engaging external vendors or partners. These assessments help identify vulnerabilities in the security practices of third parties, ensuring that they have adequate measures in place to protect sensitive data and comply with regulations. By conducting these assessments, organizations can proactively mitigate risks, maintain compliance, protect their reputation, and enhance their overall security posture. Overall, third-party risk assessments play a crucial role in managing the inherent risks associated with third-party relationships and safeguarding organizational assets.