US Energy Firm BHI Energy Reveals Details of Akira Ransomware Attack

In an unprecedented demonstration of transparency, BHI Energy, a prominent US energy services company, has provided a comprehensive account of how their network was breached and data was stolen during an attack by the Akira ransomware operation.

BHI Energy, a subsidiary of Westinghouse Electric Company, specializes in offering engineering services and staffing solutions to support both private and government-operated facilities involved in oil and gas, nuclear, wind, solar, fossil power generation, as well as electricity transmission and distribution.

In a notification sent to affected individuals, BHI Energy has shared detailed information about how the Akira ransomware group infiltrated their network on May 30, 2023.

The attack initially began with the Akira threat actor utilizing stolen VPN credentials belonging to a third-party contractor to gain unauthorized access to BHI Energy’s internal network.

“Using the compromised third-party contractor’s account, the threat actor established a VPN connection to infiltrate the internal BHI network,” as stated in the data breach notification.

“During the week following the initial access, the threat actor used the same compromised account to conduct reconnaissance of the internal network.”

On June 16, 2023, the Akira operators revisited the network to identify the data they intended to steal. Between June 20 and 29, the threat actors successfully exfiltrated 767k files, amounting to 690 GB of data, which included BHI Energy’s Windows Active Directory database.

Finally, on June 29, 2023, after extracting all the data they could from BHI Energy’s network, the threat actors deployed the Akira ransomware across all devices to encrypt the files. It was at this point that BHI Energy’s IT team discovered the breach.

Upon discovering the breach, BHI Energy promptly notified law enforcement agencies and enlisted the help of external experts to assist in the recovery of their compromised systems. The threat actors were fully expelled from BHI Energy’s network on July 7, 2023.

Fortunately, the company was able to restore their systems without succumbing to the ransom demands, as they were able to recover the data from an unaffected cloud backup solution.

BHI Energy has taken additional measures to enhance its security protocols, including implementing multi-factor authentication for VPN access, conducting a global password reset, extending the deployment of EDR and AV tools to cover all aspects of its infrastructure, and decommissioning outdated systems.

Data Exposed in the Attack

Although BHI Energy managed to recover its systems, the threat actors were able to access and steal personal information belonging to employees.

An investigation conducted on September 1, 2023, revealed that the following data had been compromised:

• Full name
• Date of birth
• Social Security Number (SSN)
• Health information

As of now, the Akira ransomware group has not published any of the stolen data from BHI Energy on their extortion portal on the dark web, nor have they announced any upcoming data leaks involving the company.

The data breach notifications include instructions on how to enroll in a two-year identity theft protection service offered by Experian.