Akira Strikes BHI Energy, Exfiltrating Massive Data Trove
In a sophisticated cyberattack, the Akira ransomware gang infiltrated the network of BHI Energy1, a subsidiary of Westinghouse Electric Company.
According to a detailed disclosure letter2 sent to state regulators, including the Office of the Attorney General of Iowa, Akira exfiltrated 690GB of data, compromising personal information of over 91,000 individuals.
Breach Mechanics: The How and When
The initial breach occurred on May 30, when Akira exploited a compromised user account of a third-party contractor to access BHI’s network via VPN. The group spent roughly a week reconnoitering the network and returned for further exploration on June 16. Data staging began on June 18, and the massive exfiltration took place between June 20 and June 29. BHI Energy managed to thwart the ransomware encryption but the fate of the stolen data is still unclear.
Legacy of Conti: The Akira Connection
Interestingly, Akira includes actors previously involved with the notorious Conti ransomware group, which disintegrated in 2022. This lineage raises concerns about the evolving tactics and capabilities of the ransomware gangs who continue to wreak havoc across various industries.
Transparency in Disclosure: A Welcome Move
Josh Lemon, managed detection and response director for Uptycs, praised the detailed nature3 of BHI Energy’s disclosure.
He stated, “It’s a step in the right direction to provide confidence that BHI Energy knows the full scope of the incident, even if some details aren’t favorable to them.”
Implications and Countermeasures
BHI Energy took immediate steps to improve its cybersecurity posture after the incident. This included extending its deployment of endpoint detection and response (EDR) software, performing an enterprise-wide password reset, decommissioning unused systems, and implementing multi-factor authentication for VPN access.
Josh Lemon noted that Akira’s 30-day timeframe for data collection and exfiltration was slightly longer than most ransomware gangs, indicating a meticulous approach.
The Changing Landscape of Cybersecurity
The attack on BHI Energy underscores the increasing complexity and audacity of ransomware attacks, particularly those targeting critical infrastructure and sensitive data.
In an era when VPN vulnerabilities are being exploited—similar to the 2021 Colonial Pipeline attack—it’s evident that organizations must rethink their cybersecurity strategies.
The incident also raises questions about the responsibility of companies to disclose the full scope of cyberattacks. As Lemon suggests, increased transparency could be a harbinger of a new norm in the cybersecurity landscape, one focused on collective awareness and preparedness.
With the stolen data including sensitive personal and potentially health-related information, BHI has offered two years of free access to an identity theft detection and resolution service to the affected individuals. Yet, the final ramifications of this extensive data breach remain to be seen.