On April 26, 2025, Hitachi Vantara — the data infrastructure subsidiary of Hitachi Ltd that sells storage hardware, cloud management, and managed recovery services to government agencies and Fortune 500 customers including BMW, Telefonica, T-Mobile, and China Telecom — detected ransomware activity on its internal networks. The company confirmed an Akira ransomware intrusion and, in line with playbook procedure, took its own servers offline to contain the spread. Hitachi Vantara Manufacturing and the company's remote-support operations dropped offline; cloud-hosted customer environments and self-hosted customer data remained available. The incident is a clean example of an emerging pattern: ransomware affiliates increasingly target the vendors that enterprises trust to recover from ransomware. The irony — a data-protection vendor unable to access its own data — is more than rhetorical. Hitachi Vantara customers who had planned their incident-response runbooks around vendor-assisted recovery suddenly faced a degraded support channel exactly when they would most have wanted to invoke it, illustrating the second-order risk of single-vendor recovery strategies.
Who is Akira and how did they get in?
Akira surfaced in March 2023 and quickly grew into one of the most prolific affiliate programs, claiming more than 300 organisations on its leak site through 2025, including Stanford University and Nissan Oceania. The brand is widely linked to Conti-lineage operators. Hitachi Vantara has not publicly disclosed the initial access vector. Akira affiliates' established tradecraft is dominated by exploitation of Cisco ASA and FTD with single-factor or weak MFA (the bulk of Cisco TALOS-tracked Akira intrusions in 2024-2025), SonicWall SMA and SSL-VPN appliance vulnerabilities (CVE-2024-40766 and CVE-2025-23006), and abuse of stolen RDP credentials sold by initial access brokers. Once inside, Akira affiliates rapidly disable EDR, exfiltrate via WinSCP or Rclone to Mega.io, then deploy the Rust-based Akira encryptor.
What did the attackers actually access?
Hitachi Vantara's public statement said the affected systems included internal IT, Hitachi Vantara Manufacturing, and remote support tooling. The company emphasised that cloud services for customers were not affected and that customers with self-hosted environments retained access to their data. Akira's data-leak site subsequently listed Hitachi Vantara among its victims and claimed exfiltration of internal project documentation. The most consequential downstream impact for customers was loss of vendor remote support during the recovery window — a particularly painful outage for organisations whose own incident-response plans assume Hitachi Vantara engineers will be one call away during a storage failure or ransomware recovery exercise.
How long were they inside?
Hitachi Vantara has not publicly disclosed dwell time, but Akira affiliates' median dwell time across Cisco TALOS and Mandiant case data sits between 5 and 13 days from initial access to encryption. The fast cadence is deliberate: Akira affiliates aim to encrypt before standard SOC retention windows force log rotation, and before defenders complete the routine credential-rotation cycles that follow a typical phishing or stealer-log alert. The Hitachi Vantara case followed the standard arc of weekend-timed detection, immediate proactive shutdown, and a multi-week recovery to bring internal and manufacturing systems back online. The decision to take customer-support tooling offline rather than risk lateral movement to managed customer environments was the right call operationally, though it inevitably amplified the customer-experience impact during the recovery window.
What did existing controls miss?
Three failures recur in Akira intrusions, and the broader pattern almost certainly applies here. First, perimeter VPN and remote-access devices are routinely missed by EDR and SIEM coverage; an ASA or SonicWall appliance compromise hands the attacker a foothold that no endpoint sensor will see. Second, MFA enforcement gaps on remote-access devices remain endemic in 2025; Cisco's own advisory for CVE-2023-20269 and subsequent ASA disclosures stress that affiliates target legacy authentication policies that allow single-factor fallbacks. Third, internal-tier flat networks let one ASA compromise become a manufacturing-systems outage, which is why Hitachi Vantara had to take so many systems offline at once.
# Detection: Akira pre-encryption staging
# Network indicators worth alerting on for any enterprise SOC
indicators:
exfil_user_agent:
- 'Rclone/v'
- 'WinSCP/'
c2_domains_pattern:
# Akira historically uses bullet-proof hosting + Tor
- '*.onion'
living_off_the_land:
- 'powershell.exe -nop -w hidden -enc'
- 'net1 group "Domain Admins" /domain'
- 'wevtutil cl Security'
edr_disable:
- 'sc stop SentinelAgent'
- 'sc stop CSAgent'
- 'Set-MpPreference -DisableRealtimeMonitoring $true'
response:
- Isolate host on first wevtutil cl + Rclone correlation
- Force credential rotation for any account observed running these
What should defenders do now?
Six concrete steps. First, treat your storage, backup, and managed-recovery vendors the same way you treat your identity provider — they are tier-zero suppliers whose own incident becomes your incident-response degradation. Second, mandate phishing-resistant MFA on every remote-access appliance the vendor ships or operates on your behalf, and audit the vendor's own MFA posture during procurement. Third, build SBOMs for storage and backup software so that any Cisco ASA, SonicWall, or FortiOS zero-day immediately surfaces every appliance in your environment. Fourth, validate that backup immutability actually holds: Akira affiliates target Veeam, Commvault, and storage-snapshot platforms specifically because legacy admin accounts often retain delete-snapshot privileges. Fifth, run a tabletop where your storage vendor's remote-support channel is unavailable for 14 days — that is the realistic outage window. Sixth, subscribe to Cisco TALOS, CISA, and the storage-vendor PSIRT feeds so that you do not learn about a new Akira-favoured CVE from a leak-site post.
How does Hitachi Vantara compare to other 2024-2025 enterprise IT-vendor ransomware events?
The Hitachi Vantara case slots into a growing pattern of ransomware affiliates targeting the vendors that enterprises rely on for resilience. CDK Global in June 2024 took roughly 15,000 US car dealerships offline; Blue Yonder in November 2024 took Starbucks and major UK grocers into manual operations; Microsoft Recall and other vendor-side incidents have shown the same blast-radius dynamic. Akira affiliates specifically have favoured technology-services and storage-adjacent victims through 2024 and 2025 because the multiplier effect on each ransom demand is large: an enterprise-storage vendor's downtime forces customers to pause their own incident-response work just as they need it. Comparison with the CDK Global outage is instructive — CDK ultimately paid an estimated $25 million ransom after roughly two weeks of downtime, while Hitachi Vantara declined to confirm its decision. The reputational and contractual exposure for storage and managed-recovery vendors after a successful Akira intrusion is now a board-level conversation, and several CISOs in the wake of the April 26 disclosure publicly pushed for contractual right-to-audit clauses on vendor IR maturity.
How Safeguard Helps
Safeguard ingests SBOMs from storage and backup software stacks and continuously cross-references them against Cisco PSIRT, SonicWall PSIRT, and CISA KEV, so a new Akira-favoured CVE surfaces every affected appliance and managed-service host in minutes. Griffin AI reachability analysis tells you which Hitachi-class storage management consoles are reachable from untrusted segments versus segmented behind jump hosts, and which legacy ASA or SMA models still allow single-factor authentication paths. TPRM workflows score vendors like Hitachi Vantara, Veeam, and Commvault against the CISA Secure by Design pledge and require contractual breach-notification SLAs; policy gates block deployments that fall below your minimum patch baseline. When an Akira intrusion hits one of your suppliers, responders see a single prioritised view of which products in your fleet share components with the affected vendor — not a 48-hour spreadsheet drill.