Attack alert: akira targets Advanced Power - GB

Introduction

On December 5, 2025, Advanced Power, a British supplier of industrial electrical equipment established in 1995, was the victim of a cyberattack by the akira ransomware group. With an estimated turnover of between £5 million and £10 million and a workforce of 10 to 50 employees, this UK-based company holds sensitive customer data, industrial control systems, and critical technical information that are now potentially compromised. The incident, classified as SIGNAL level according to DataInTheDark's XC-Classify methodology, raises major concerns for the industrial equipment sector, which is particularly vulnerable to operational disruptions. This attack is part of akira's strategy of targeting critical infrastructure and corporate networks with a double extortion approach, combining system encryption with the threat of publishing exfiltrated data.

Analysis of this incident reveals the growing risks facing British industrial equipment suppliers, whose technical systems and customer databases are prime targets for malicious actors. The potential consequences extend far beyond Advanced Power, threatening its entire supply chain and industrial partners. Certification of this attack via the XC-Audit protocol on the Polygon blockchain guarantees transparent and verifiable traceability, enabling organizations in the sector to accurately assess the risks they face.

Analyse détaillée

Akira has been one of the most active ransomware threats since its emergence in March 2023. This cybercriminal collective is distinguished by its ability to simultaneously compromise Windows and Linux environments, with particular expertise in attacking VMware ESXi servers used for enterprise virtualization. Unlike Ransomware-as-a-Service (RaaS) models where affiliates rent the malicious infrastructure, Akira operates independently, maintaining complete control over its operations and victims.

Akira's modus operandi relies on a particularly formidable double extortion strategy. Attackers first exfiltrate large volumes of sensitive data before deploying their malicious encryption payload. This approach maximizes the pressure on victims: even if they have working backups, the threat of publication on the leak site hosted on the Tor network remains. The ransoms demanded vary considerably depending on the size and criticality of the target, ranging from $200,000 to $4 million, and are always demanded in Bitcoin to guarantee the anonymity of the transactions.

Akira's technical arsenal exploits several initial attack vectors. The group primarily targets unpatched VPN services, exploiting known but unpatched vulnerabilities to establish a discreet entry point into corporate networks. Compromised Remote Desktop Protocol (RDP) credentials are another preferred vector, often obtained through targeted phishing campaigns or purchases on underground forums. Once initial access is established, Akira abuses legitimate remote administration tools to maintain its persistence and laterally expand its presence within the compromised network.

The Windows variant of the ransomware leverages Microsoft's native cryptographic API to encrypt files, adding the ".akira" extension to compromised documents. Developers have incorporated sophisticated evasion logic, deliberately excluding critical system folders from the encryption process to maintain system stability and avoid premature detection. The education, manufacturing, and healthcare sectors are among the group's preferred targets, and it continues to refine its evasion techniques and improve the encryption speed of its latest variants.

Advanced Power, founded in 1995, has established itself as a key player in the UK industrial electrical equipment market. With three decades of experience, the company has developed cutting-edge technical expertise and built a loyal customer base in the industrial sector. Its turnover, estimated at between £5 million and £10 million, reflects significant activity in a highly specialized niche market.

The company's workforce of 10 to 50 employees reflects an agile organizational structure, typical of specialized SMEs in the industrial equipment sector. However, this size of company presents specific cybersecurity vulnerabilities: limited resources to maintain a dedicated IT security team, constrained budgets for advanced protection solutions, and potential reliance on external providers for IT infrastructure management.

The nature of Advanced Power's business involves handling highly sensitive data. Customer information includes detailed technical specifications, installation diagrams, industrial control system configurations, and potentially data relating to its customers' critical infrastructure. Supervisory control and data acquisition (SCADA) systems used in the industrial power sector represent high-value targets for malicious actors, as their compromise can lead to major operational disruptions.

Advanced Power's UK location subjects the company to a strict regulatory framework regarding data protection and the security of critical infrastructure. The UK maintains high standards for industrial equipment suppliers, particularly those operating in sensitive sectors. The compromise of this company raises questions about the security of its entire supply chain and the protection of technical information shared with its industrial partners.

The incident of December 5, 2025, has an exposure profile classified at the SIGNAL level according to DataInTheDark's XC-Classify methodology. This level indicates early detection of malicious activity, before a massive data release has been confirmed. This classification allows organizations in the sector to anticipate potential risks and proactively activate their incident response protocols.

The nature of the data held by Advanced Power suggests a multidimensional exposure. The customer information likely includes detailed technical specifications for industrial electrical installations, wiring diagrams, power distribution system configurations, and potentially access data for control systems. This information is of strategic value to malicious actors targeting critical infrastructure or seeking to compromise Advanced Power's end customers.

The initial attack vector is still under investigation, but akira's documented modus operandi suggests several likely scenarios. Exploiting an unpatched VPN service is the most plausible hypothesis for a company of this size, which often faces budgetary constraints limiting the frequency of security updates. Compromised RDP credentials represent a credible alternative, particularly if Advanced Power uses remote access solutions for its field technicians.

The incident timeline indicates a discovery on December 5, 2025, but the initial intrusion could date back several weeks. Akira typically favors a patient approach, establishing a discreet presence within the compromised network before proceeding with the mass exfiltration of data and the deployment of ransomware. This strategy allows attackers to identify the most valuable assets, understand the network architecture, and disable backup solutions before launching the final offensive.

The risks to exposed data extend far beyond mere confidentiality. Technical specifications of industrial electrical equipment can reveal exploitable vulnerabilities in end-customer facilities. Exposed industrial control system configurations could facilitate subsequent attacks against critical infrastructure. Contractual and commercial information compromises Advanced Power's competitive position and exposes its customers to the risk of secondary targeting.

Conclusion

The attack against Advanced Power illustrates the systemic vulnerabilities of the UK industrial equipment sector. Electrical equipment suppliers occupy a strategic position in critical infrastructure supply chains, making their compromise particularly concerning. A disruption to their operations or a leak of their technical data can trigger cascading effects impacting multiple sectors dependent on their products and services.