October 25, 2023 at 08:03PM
Westinghouse subsidiary BHI Energy confirmed experiencing an Akira ransomware attack in June. The threat actor gained access through a compromised account of a third-party contractor. They performed network reconnaissance before exfiltrating 690GB of data and deploying the ransomware. The threat actor was removed in July and BHI was able to recover data from unaffected cloud backups. Personal information of 896 Iowa residents was affected and they have been notified and offered a membership to Experian’s IdentityWorks.
Key Points from the Meeting Notes:
1. BHI Energy, a subsidiary of Westinghouse, experienced an Akira ransomware attack in June.
2. BHI’s IT team discovered network data encryption and brought in outside counsel and a third-party cybersecurity firm to investigate.
3. The cybersecurity firm found that the threat actor, Akira, gained initial access through a compromised account of a third-party contractor.
4. The threat actor performed reconnaissance of the internal network on two occasions after gaining access.
5. Starting in late June, the threat actor exfiltrated 690 gigabytes of data over nine days, including BHI’s Active Directory database.
6. Once data exfiltration was complete, the threat actor deployed the Akira ransomware.
7. The threat actor was removed from BHI’s network in July, and the company took measures to secure its environment.
8. BHI’s cloud backup solution was unaffected, allowing data recovery without the need for a ransomware decryption tool.
9. Personal information of 896 Iowa residents, including names, dates of birth, Social Security numbers, and health information, was affected.
10. The affected individuals have been notified and offered a 24-month membership to Experian’s IdentityWorks.