Akira Ransomware Gang Targets BHI Energy: The 690GB Data Heist

Estimated read time 3 min read

Akira Strikes BHI Energy, Exfiltrating Massive Data Trove

In a sophisticated cyberattack, the Akira ransomware gang infiltrated the network of BHI Energy1, a subsidiary of Westinghouse Electric Company.

According to a detailed disclosure letter2 sent to state regulators, including the Office of the Attorney General of Iowa, Akira exfiltrated 690GB of data, compromising personal information of over 91,000 individuals.

Akira exfiltrated 690GB of data
Akira exfiltrated 690GB of data

Breach Mechanics: The How and When

The initial breach occurred on May 30, when Akira exploited a compromised user account of a third-party contractor to access BHI’s network via VPN. The group spent roughly a week reconnoitering the network and returned for further exploration on June 16. Data staging began on June 18, and the massive exfiltration took place between June 20 and June 29. BHI Energy managed to thwart the ransomware encryption but the fate of the stolen data is still unclear.

Legacy of Conti: The Akira Connection

Interestingly, Akira includes actors previously involved with the notorious Conti ransomware group, which disintegrated in 2022. This lineage raises concerns about the evolving tactics and capabilities of the ransomware gangs who continue to wreak havoc across various industries.

Akira Ransomware Gang
Akira Ransomware Gang

Transparency in Disclosure: A Welcome Move

Josh Lemon, managed detection and response director for Uptycs, praised the detailed nature3 of BHI Energy’s disclosure.

He stated, “It’s a step in the right direction to provide confidence that BHI Energy knows the full scope of the incident, even if some details aren’t favorable to them.”

Implications and Countermeasures

BHI Energy took immediate steps to improve its cybersecurity posture after the incident. This included extending its deployment of endpoint detection and response (EDR) software, performing an enterprise-wide password reset, decommissioning unused systems, and implementing multi-factor authentication for VPN access.

Josh Lemon noted that Akira’s 30-day timeframe for data collection and exfiltration was slightly longer than most ransomware gangs, indicating a meticulous approach.

The Changing Landscape of Cybersecurity

The attack on BHI Energy underscores the increasing complexity and audacity of ransomware attacks, particularly those targeting critical infrastructure and sensitive data.

In an era when VPN vulnerabilities are being exploited—similar to the 2021 Colonial Pipeline attack—it’s evident that organizations must rethink their cybersecurity strategies.

The incident also raises questions about the responsibility of companies to disclose the full scope of cyberattacks. As Lemon suggests, increased transparency could be a harbinger of a new norm in the cybersecurity landscape, one focused on collective awareness and preparedness.

With the stolen data including sensitive personal and potentially health-related information, BHI has offered two years of free access to an identity theft detection and resolution service to the affected individuals. Yet, the final ramifications of this extensive data breach remain to be seen.

  1. https://www.bhienergy.com/ ↩︎
  2. https://www.iowaattorneygeneral.gov/media/cms/10182023_BHI_Energy__Specialty_Serv_8EA90F8C852C5.pdf ↩︎
  3. https://www.scmagazine.com/news/conti-successor-akira-stole-690gb-of-bhi-energy-data ↩︎
Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author

+ There are no comments

Add yours