Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
BHI Energy, a US energy services company linked to Westinghouse Electric Company, has revealed specifics about a cyberattack on their systems. The Akira ransomware group is responsible for the breach that took place on May 30, 2023.
As a division of Westinghouse Electric Company, BHI Energy provides specialized engineering services and staffing solutions to oil and gas, nuclear, wind, solar, and fossil power generation units as well as facilities for transmitting and distributing electricity. These facilities are run by both private and public entities.
How Did the Breach Happen?
In a notice of data breach that BHI Energy sent to people who were affected, the company goes into great detail about how the Akira ransomware group got into its network on May 30, 2023.
- The threat actor initially accessed BHI’s system using stolen VPN credentials from a third-party contractor.
- Using that third-party contractor’s account, the TA (threat actor) reached the internal BHI network through a VPN connection.
- In the week following initial access, the TA used the same compromised account to perform data reconnaissance.
- Over subsequent weeks, they began staging data and ultimately extracted 767k files totaling 690 GB, which included a copy of BHI’s Active Directory database.
- The cybercriminals encrypted all accessible files with the Akira ransomware on June 29, and that was the moment BHI’s IT team recognized the breach.
On June 29, 2023, having completed exfiltration of the data, the TA deployed the Akira ransomware to a subset of systems within BHI’s network. The TA provided a file listing that referenced 767,035 files exfiltrated, totaling 690GB of uncompressed data. The TA created and subsequently deleted these archives on a BHI server.
Extract from BHI’s Security Notice (Source)
Investigation and Protective Measures
BHI started an investigation, involving law enforcement and external cybersecurity experts. By July 7, 2023, the threat was neutralized.
The company managed to restore their compromised systems using unaffected cloud backups, avoiding the need to pay a ransom, explains Bleeping Computer.
In response to the breach, BHI has now enhanced its security infrastructure, including implementing multi-factor authentication for VPN and overhauling its password system.
After removing the TA from BHI’s network, which occurred on or about July 7, 2023, BHI extended its deployment of EDR and antivirus software within the environment; performed an Enterprise Password Reset; decommissioned legacy and unused systems; and implemented multi-factor authentication on its remote access VPN.
Extract from BHI’s Security Notice (Source)
Despite BHI’s recovery efforts, the attackers did manage to acquire data with sensitive employee details such as:
- names
- birth dates
- Social Security Numbers
- and health-related information.
BHI confirmed the names and addresses of the 896 Iowa residents who were affected.
As of now, there’s no evidence of the Akira group sharing BHI’s data on the dark web. Affected individuals have been offered a two-year identity theft protection service.
Addressing Advanced Ransomware with Heimdal® EDR
If you’re looking for a solution to help you prevent advanced ransomware and other cyber threats, Heimdal® Endpoint Detection and Response (EDR) can help you with that. Its capabilities extend beyond conventional threats, effectively countering ransomware, insider threats, admin rights abuse, Advanced Persistent Threats (APTs), software exploits, and brute force attacks.
Leveraging the power of Machine Learning and AI, Heimdal EDR can identify and neutralize both established and emerging cyber threats, offering a proactive and efficient defense strategy.
Moreover, by integrating six distinct solutions into a single easy-to-deploy and compact agent, it will save you time and not delay your systems.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.
Madalina, a seasoned digital content creator at Heimdal®, blends her passion for cybersecurity with an 8-year background in PR & CSR consultancy. Skilled in making complex cyber topics accessible, she bridges the gap between cyber experts and the wider audience with finesse.
