October 23, 2023 at 12:42PM
US energy services firm BHI Energy disclosed how the Akira ransomware gang breached their network and stole data in a recent attack. The attackers used stolen VPN credentials from a third-party contractor to gain access. They stole 767k files, including personal information such as full names, dates of birth, social security numbers, and health information. BHI was able to recover its systems without paying a ransom and implemented additional security measures.
Key takeaways from the meeting notes:
1. BHI Energy, a US energy services firm, experienced a data breach caused by the Akira ransomware operation.
2. The breach occurred on May 30, 2023, through the use of stolen VPN credentials from a third-party contractor.
3. The threat actors accessed BHI Energy’s internal network and performed reconnaissance for a week before revisiting the network to steal data between June 20 and 29, 2023.
4. They managed to steal 767k files containing 690 GB of data, including the Windows Active Directory database.
5. On June 29, 2023, the threat actors deployed the Akira ransomware, encrypting files and alerting BHI Energy’s IT team to the compromise.
6. BHI Energy immediately informed law enforcement and engaged external experts to assist with recovery.
7. They were able to recover their systems from an unaffected cloud backup solution, avoiding the need to pay a ransom.
8. BHI Energy has implemented additional security measures, including multi-factor authentication, password resets, extended use of EDR and AV tools, and decommissioning of legacy systems.
9. Employees’ personal information, such as full names, dates of birth, SSNs, and health information, were exposed in the breach.
10. As of now, no leaked data belonging to BHI Energy has been found on the Akira ransomware group’s extortion portal or announced for future leaks.
11. The data breach notices provided instructions for affected individuals to enroll in a two-year identity theft protection service through Experian.