Energy giant Schneider Electric hit by Cactus ransomware attack

Jan. 30, 2024
Terabytes of data have reportedly been stolen from its Sustainability Business division earlier this month, with some of its Electric’s Resource Advisor Cloud platform continuing to suffer outages today.

Energy management and automation giant Schneider Electric suffered a Cactus ransomware attack leading to the theft of corporate data, according to people familiar with the matter.

BleepingComputer has learned that the ransomware attack hit the company's Sustainability Business division earlier this month on January 17th.

The attack disrupted some of Schneider Electric's Resource Advisor cloud platform, which continue to suffer outages today.

The ransomware gang reportedly stole terabytes of corporate data during the cyberattack and is now extorting the company by threatening to leak the stolen data if a ransom demand is not paid.

While it is not known what type of data was stolen, the Sustainability Business division provides consulting services to enterprise organizations, advising on renewable energy solutions and helping them navigate complex climate regulatory requirements for companies worldwide.

Customers of Schneider Electric's Sustainability Business division include Allegiant Travel Company, Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo, and Walmart.

The stolen data could contain sensitive information about customers' power utilization, industrial control and automation systems, and compliance with environmental and energy regulations.

It is not known if Schneider Electric will be paying a ransom demand, but if one is not paid, we will likely see the ransomware gang leaking the stolen data as they have done after previous attacks.

In a statement to BleepingComputer, Schneider Electric confirmed that its Sustainability Business division suffered a cyberattack and that data was accessed by the threat actors. However, the company says the attack was restricted to this one divisiion and did not impact other parts of the company.

"From a recovery standpoint, Sustainability Business is performing remediation steps to ensure that business platforms will be restored to a secure environment. Teams are currently testing the operational capabilities of impacted systems with the expectation that access will resume in the next two business days.

From a containment standpoint, as Sustainability Business is an autonomous entity operating its isolated network infrastructure, no other entity within the Schneider Electric group has been affected. 

From an impact assessment standpoint, the on-going investigation shows that data have been accessed. As more information becomes available, the Sustainability Business division of Schneider Electric will continue the dialogue directly with its impacted customers and will continue to provide information and assistance as relevant. 

From a forensic analysis standpoint, the detailed analysis of the incident continues with leading cybersecurity firms and the Schneider Electric Global Incident Response team continuing to take additional actions based on its outcomes, working with relevant authorities." - Schneider Electric.

Schneider Electric is a French multinational company that manufactures energy and automation products ranging from household electrical components found in big box stores to enterprise-level industrial control and building automation products.

Schneider Electric had $28.5 billion in revenue for the first nine months of 2023 and employs over 150,000 people worldwide. Schneider Electric is expected to release its 2023 full-year financial results next month.

Some of its well-known consumer brands include Homeline, Square D, and APC, the manufacturer of widely used uninterruptable power supply (UPS) devices.

Schneider Electric was previously targeted in the widespread MOVEit data theft attacks by the Clop ransomware gang that impacted over 2,700 companies.

Who is Cactus ransomware

The Cactus ransomware operation launched in March 2023 and has since amassed numerous companies that they claim were breached in cyberattacks.

Like all ransomware operations, the threat actors will breach corporate networks through purchased credentials, partnerships with malware distributors, phishing attacks, or by exploiting vulnerabilities.

Once the threat actors gain access to a network, they quietly spread to other systems while stealing corporate data on servers.

After stealing the data and gaining administrative privileges on the network, the threat actors encrypt files and leave ransom notes behind.

The threat actors will then conduct double-extortion attacks, which is when they demand a ransom to receive both a file decryptor and promise to destroy and not leak stolen data.

For those companies who do not pay a ransom, the threat actors will leak their stolen data on a data leak site.

At this time, there are over 80 companies listed on Cactus' data leak site whose data has been leaked or the threat actors warn they will do so.

Expert Dr. Darren Williams, CEO and Founder, BlackFog, comments:

“This Cactus ransomware attack on Schneider Electric joins the recent uptick of critical national infrastructure (CNI) attacks. In particular, the energy sector is a prime target due to its potentially lucrative rewards, if successful, and the maximum chaos caused by its widespread public reach. Naturally, with high-profile customers including Hilton and PepsiCo, Schneider Electric fits the bill.

The Cactus group, which has been around since March 2023, appears to favor CNI sector organizations as its victims, most recently leaking updated identity documents stolen from Peterson Health Care just over a month ago in December.

The UK’s NCSC recently warned of exponential threat increases towards CNI in its annual review, particularly as global tensions are on the rise; preventative measures like anti data exfiltration are the safest option for CNI companies to defend against nasty attacks like these.

Moreover, it is essential that organizations do not bow down to these extortion demands, as doing so can potentially worsen their position – who’s to say the attackers won’t put stolen data to ill-use post-ransom payment? Not to mention the legal and reputational consequences, depending on the country the company is based in.”

Jess Parnell, CISO at Centripetal, commented:

"In light of this recent ransomware attack, it underscores the urgent need for companies to adopt modern, proactive, and intelligence-powered cybersecurity technologies. The incident highlights the ever-present and evolving threat landscape that businesses face in the digital age. To safeguard sensitive data and ensure the continuity of operations, organizations must invest in cutting-edge cybersecurity measures that go beyond traditional defenses. Implementing robust intelligence-powered solutions is imperative to minimize the impact of known cyber threats and to stay one step ahead of malicious actors seeking to exploit vulnerabilities. In today's interconnected world, a proactive cybersecurity stance is not just a best practice but a critical necessity for the survival and resilience of any modern enterprise."

If you have any information regarding this incident or any other undisclosed attacks, you can contact Bleeping Computer confidentially via Signal at 646-961-3731 or at [email protected].