Cyber Incident Victim: Hitachi Vantara
Date:
Apr 2025
Location:
United States of America
Summary
Hitachi Vantara experienced a ransomware attack attributed to the Akira group, prompting the company to take servers offline to contain the breach. The incident disrupted internal systems and the company's manufacturing while cloud services remained operational and self‑hosted customers could still access their data. Akira actors exfiltrated files and left ransom notes on compromised systems before the company engaged third‑party cybersecurity experts to investigate and remediate the attack. Support channels were limited, with remote ops and support connectivity inaccessible, though email and phone support remained available. The company is working to restore affected systems in a secure manner.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On April 26, 2025, Hitachi Vantara detected suspicious activity on its network and immediately initiated its incident response protocols. The company engaged third‑party subject matter experts to assist with the investigation and remediation. As a containment measure, Hitachi Vantara proactively took its servers offline and restricted inbound and outbound traffic to its main data center. The servers remained offline while the experts validated that it was safe to restore them. Hitachi Vantara issued a statement confirming a ransomware incident that had disrupted some of its systems and noted that it was working to bring the affected systems back online in a secure manner. The ransomware attack was later identified as being carried out by the Akira ransomware operation, which had stolen files from Hitachi Vantara’s network and dropped ransom notes on compromised systems. While the company’s cloud services were not affected, its internal systems and Hitachi Vantara Manufacturing experienced disruption as part of the containment effort. Remote and support operations were taken offline, making Hitachi Remote Ops and Support Connect inaccessible, although customers with self‑hosted environments could continue to access their data normally. The incident also impacted multiple projects owned by government entities that rely on Hitachi Vantara’s services. Akira, which emerged in March 2023, had previously added over 300 organizations to its leak site and claimed high‑profile victims such as Stanford University and Nissan’s Oceania and Australia operations, with the FBI reporting that the group had collected roughly $42 million in ransom payments before April 2024.
Throughout the incident, Hitachi Vantara provided updates on a dedicated webpage and stated that it would continue to share information as the investigation progressed. Customers were advised to open support cases by emailing [email protected] or calling their local Hitachi Support line, with phone numbers provided for EMEA (+44 1753‑618990), North America (+1 800‑592‑6580), Australia (+61 1800‑319‑421) and the Rest of World (+1 669‑220‑1350). Partners were instructed to email [email protected] because the Support Connect portal remained inaccessible. The company said it would notify affected parties if any sensitive data was determined to have been compromised, in accordance with its obligations, and emphasized that the investigation was still ongoing at the time of the updates.