Westinghouse subsidiary BHI Energy, an energy services provider, confirmed that it experienced an Akira ransomware attack in June.
BHI’s IT team at BHI discovered network data being encrypted in late June; as it proceeded to investigate the incident, it brought in outside counsel and a third-party cybersecurity firm.
The cybersecurity firm found that Akira, the threat actor, gained initial access in late May through the compromised account of a third-party contractor, resulting in the threat actor reaching “the internal BHI network through a VPN connection.”
According to the notice sent to Iowa’s consumer protection agency, in the week after first gaining access, the threat actor performed reconnaissance of the internal network on two different occasions. In late June, the threat actor started exfiltrating 690GB of data over nine days, including data like BHI’s Active Directory database. Once the threat actor completed this, they then deployed the Akira ransomware.
The threat actor was removed from BHI’s network in July, and the company took several steps to secure its environment. Since BHI’s cloud backup solution was unaffected, the company was able to recover data without needing a ransomware decryption tool.
In reviewing the affected systems, BHI found that the data affected included personal information such as full names, dates of birth, Social Security numbers, and health information of 896 Iowa residents, who have since been notified. BHI is offering a 24-month membership to Experian’s IdentityWorks to these people.
Source: www.darkreading.com