Ransomware gang Akira spent a month collecting and exfiltrating 690GB of data from the network of BHI Energy, including personal information belonging to more than 91,000 individuals.
Details of the hack are set out in a lawyers’ letter disclosing the data breach sent to state regulators including the Office of the Attorney General of Iowa.
The threat group gained initial access to the company through a VPN connection using a compromised user account belonging to a third-party contractor. BHI Energy managed to circumvent Akira’s attempt to encrypt parts of its network, but the fate of the stolen data remains unclear.
Headquartered in Weymouth, Massachusetts, BHI Energy is a subsidiary of the Westinghouse Electric Company, which provides services and staffing solutions for the energy sector.
The Akira gang includes actors previously involved in the once-powerful Conti ransomware group which unraveled in 2022.
The data breach disclosure letter included more details about the incident than most organizations disclose after a cyberattack — something Josh Lemon, managed detection and response director for Uptycs, described as a positive development.
“The level of detail provided about the compromise is a welcome change and a step in the right direction to provide confidence that BHI Energy knows the full scope of the incident, even if some details aren’t favorable to BHI Energy,” he said.
“It’s important that more organizations move to provide this level of detail to be transparent with their customers and provide confidence that details of an incident are thoroughly known.”
Timeline of the attack on BHI's network
According to the letter, Akira’s initial access was gained on May 30. The group spent the following week using the same compromised account to carry out reconnaissance on the network.
Akira returned on June 16 to perform further reconnaissance and began staging data on June 18. The 690GB exfiltration — which included a copy of BHI’s Active Directory database — took place between June 20 and June 29.
The same day exfiltration was completed, the gang deployed Akira’s ransomware to “a subset of systems” on the network. Also on June 29, BHI’s IT team discovered data on the network had been encrypted and took steps to isolate the affected systems, stop propagation, and eventually remove the attackers.
“Because the company’s cloud backup solution was not affected, BHI was able to successfully recover data in the systems without needing to obtain a ransomware decryption tool from the TA (threat actor),” the disclosure letter said.
Click for more special coverage
Lemon said the 30 days Akira took to complete data collection and exfiltration was a little longer than most ransomware gangs spent.
The approximately 17 days spent moving laterally through the network to obtain domain-level credentials to access systems was also fairly long for a threat actor to spend performing those tasks, he said.
BHI contacting individuals affected by breach
According to the lawyers’ letter, BHI were able to remove the threat from their network on about July 7.
To improve security following the incident, the company extended its deployment of endpoint detection and response (EDR) and antivirus software, performed an enterprise password reset, decommissioned legacy and unused systems, and implemented multi-factor authentication for remote access VPN.
Organizations are moving away from relying on VPNs because of the security risks they can pose. One high profile case where hackers gained initial access through a compromised VPN was the 2021 Colonial Pipeline attack.
Further analysis by BHI after the attack confirmed the exfiltrated data included individuals’ first, middle and last names, dates of birth, Social Security numbers and potentially health information. The company sent letters to all affected individuals on Oct. 18 offering two years’ free access to an identity theft detection and resolution service.
