BHI Energy, a division of Westinghouse Electric Company, provides specialized engineering services and workforce solutions to support government and private-run power generation facilities, including nuclear, wind, solar, and fossil fuel units and transmission and distribution lines for energy.
The company has sent a data breach notification to affected individuals, where it has provided details on how the ransomware gang (Akira) breached its network on May 30, 2023.
The Akira threat actor initiated the attack by utilizing the compromised VPN credentials of a third-party contractor to gain entry to BGI Energy's internal network.
"Using that third-party contractor's account, the TA (threat actor) reached the internal BHI network through a VPN connection[…]In the week following initial access, the TA used the same compromised account to perform reconnaissance of the internal network," the breach notification read.
On June 16, 2023, the Akira operators checked the network again to see how much data had been taken. The threat actors took 690 GB of data, including the Windows Active Directory database of BHI, in 767k files between June 20 and June 29.
After obtaining the data from BHI's network, the threat actors deployed the Akira ransomware on every targeted system to encrypt files on June 29, 2023. At this point, the IT staff at BHI were aware that the business had been compromised.
The data obtained by the ransomware group involved the personal information of the victim. In an investigation held on September 1, 2023, it was revealed that the stolen data included:
- Full name
- Date of birth
- Social Security Number (SSN)
- Health information
The firm claims that it was able to restore its systems without having to pay a ransom because it was able to retrieve data from a cloud backup solution that was unaffected by the ransomware attack.
Moreover, by implementing multi-factor authentication for VPN access, resetting all passwords globally, expanding the deployment of EDR and AV technologies to cover every area of its environment, and decommissioning legacy systems, BHI strengthened its security protocols even further.