Schneider Electric confirms data was stolen in Cactus ransomware attack

Schneider Electric logo and branding pictured at the Schneider Electric SE stand at the Enlit energy conference in Cape Town, South Africa, on Tuesday, May 16, 2023
(Image credit: Getty Images)

Schneider Electric has confirmed that company data was stolen during a ransomware attack waged by the Cactus threat group. 

A ransomware incident on January 17 affected the firm’s Sustainability Business segment, which included its Resource Advisor system and other “division specific systems”, the firm said.

Customers were warned at the time, but the full extent of the breach is now being understood with the release of additional guidance.

The Cactus ransomware gang claims to have stolen around 1.5TB of data from Schneider Electric, according to reports, and has threatened to publish this online if a ransom demand is not met.

25MB of stolen data was uploaded to the group’s dark web leak site in a bid to prove the veracity of its claims, which included images of US citizens’ passports and scans of non-disclosure agreement documents. Aside from this snippet, it remains unclear precisely what data has been stolen by the group.

Schneider Electric’s Sustainability Business unit provides consultancy services to a range of organizations globally, including Hilton, PepsiCo, and Walmart.

The company said it has informed potentially at-risk customers of the breach and is working to mitigate the impact of the incident.

“On January 17th, 2024, a ransomware incident affected Schneider Electric Sustainability Business division. The attack has impacted Resource Advisor and other division specific systems,” the firm said.

“Schneider Electric Global Incident Response team has been immediately mobilized to respond to the attack, contain the incident, and to reinforce existing security measures.”

The company emphasized that the Sustainability Business segment is an “autonomous entity” within the company and that no other areas of the Schneider Electric group have been affected by the attack.

“From a forensic analysis standpoint, the detailed analysis of the incident continues with leading cyber security firms and the Schneider Electric Global Incident Response team continuing to take additional actions based on its outcomes, working with relevant authorities,” the firm added.

Schneider Electric is the latest in a growing list of Cactus victims

The Cactus ransomware group is a newcomer to the global threat landscape, and has been active since “at least March 2023”, according to analysis from Quorum Cyber.

Cactus operates under a ‘ransomware as a service’ model and has quickly risen to prominence in recent months, adding more than 100 victims to its dark web leak site.

The group has been observed exploiting corporate VPN appliances to gain initial access to corporate networks. The group’s malware is then able to encrypt itself to “protect the ransomware binary”, according to Quorum Cyber.

This makes it harder to detect and gives it the ability to evade antivirus and network monitoring tools.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.