Hacker pointing to code on computer monitor showing ransomware attack

Schneider Electric Confirms Data Leak From a Ransomware Attack

Schneider Electric has suffered a ransomware attack affecting its Sustainability Business division-specific systems, including the Resource Advisory system, a data visualization tool serving over 2,000 companies.

The division offers consultancy services on renewable energy solutions and assists clients in complying with climate regulatory requirements.

Employing over 150,000 people worldwide, Schneider boasts of assisting “40% of the Fortune 500 companies” to reduce emissions and aims to eliminate “800 million tons of CO2 emissions by 2025.”

Meanwhile, the French multinational energy and automation company said the Jan 17 ransomware attack was limited to its Sustainability Business division.

“Sustainability Business is an autonomous entity operating its isolated network infrastructure, no other entity within the Schneider Electric group has been affected,” said Schneider Electric.

Schneider Electric responds to a ransomware attack

Schneider said it mobilized its Global Incident Response team to contain the ransomware attack and reinforce existing security measures.

It also hired an external cybersecurity firm to investigate the ransomware attack and was working with relevant authorities. Schneider plans to take additional actions based on the outcome of the inquiry.

The company is also working to restore business systems in a secure environment with the expectation that access will resume in the next two business days. On average, the downtime resulting from a ransomware attack lasts 24 days.

A status update on Schneider’s website stated that the company reopened the Sustainability Business division’s business systems on January 31, 2024.

Schneider Electric ransomware attack leaked data

Schneider has confirmed that data was accessed during the ransomware attack and had notified the impacted customers.

“From an impact assessment standpoint, the on-going investigation shows that data have been accessed,” said Schneider Electric.

However, the nature of the stolen data remains undisclosed. It could include corporate information, such as energy utilization, regulatory compliance, and automation data. Energy companies also collect and store personal and financial information.

“While purely speculation at this time, the timing of the attack is curious as it is just days before the company releases its annual financial results,” said Yossi Rachman, senior director of research at Semperis. “And often ransomware attacks become material events quickly when data is stolen. And in the case of Schneider, we are talking about terabytes of data.”

Schneider has promised “to continue the dialogue directly with its impacted customers” and “continue to provide information and assistance as relevant.”

Schneider’s cyber attack is linked to the Cactus ransomware gang

The Schneider Electric ransomware attack was attributed to the Cactus ransomware group, which has threatened to leak terabytes of stolen data unless the company pays an undisclosed ransom.

Schneider has not confirmed Cactus ransomware’s involvement, and the energy and automation company’s name has not appeared on the group’s dark web data leak site.

“The connection of the Schneider Electric attack to the Cactus ransomware group likely arises from two factors: Cactus’ history of targeting corporate networks and potential Qlik software use within Schneider Electric,” said Sarah Jones, Cyber Threat Intelligence Research Analyst at Critical Start. “Since Cactus previously exploited vulnerabilities in Qlik software, it further strengthens the Cactus connection.”

Since March 2023, when it began operations, the Cactus ransomware gang has allegedly victimized at least 88 businesses, including Groupe Promotrans, Seymours, Marfrig Global Foods, MINEMAN Systems, and Maxxd Trailers.

“Naturally, with high-profile customers including Hilton and PepsiCo, Schneider Electric fits the bill,” said Darren Williams, CEO and Founder of BlackFog.

The group exploits virtual private networks (VPN) appliances for initial access and deploys SSH backdoors for persistence. Microsoft threat intelligence also warned it observed the cyber gang using online advertisements to target its victims. However, the attack vector exploited during the attack remains undisclosed.

In the past, Schneider Electric has suffered cyber attacks, being one of the victims of the Clop ransomware gang’s MOVEit data breach that affected thousands of companies.

The energy sector, part of the critical infrastructure, is a desirable target due to the widespread impacts that disruption could cause.

“This Cactus ransomware attack on Schneider Electric joins the recent uptick of critical national infrastructure (CNI) attacks,” Williams concluded. “In particular, the energy sector is a prime target due to its potentially lucrative rewards, if successful, and the maximum chaos caused by its widespread public reach.”