Schneider Electric has confirmed that company data was stolen during a ransomware attack waged by the Cactus threat group.
A ransomware incident on January 17 affected the firm’s Sustainability Business segment, which included its Resource Advisor system and other “division specific systems”, the firm said.
Customers were warned at the time, but the full extent of the breach is now being understood with the release of additional guidance.
The Cactus ransomware gang claims to have stolen around 1.5TB of data from Schneider Electric, according to reports, and has threatened to publish this online if a ransom demand is not met.
25MB of stolen data was uploaded to the group’s dark web leak site in a bid to prove the veracity of its claims, which included images of US citizens’ passports and scans of non-disclosure agreement documents. Aside from this snippet, it remains unclear precisely what data has been stolen by the group.
Schneider Electric’s Sustainability Business unit provides consultancy services to a range of organizations globally, including Hilton, PepsiCo, and Walmart.
The company said it has informed potentially at-risk customers of the breach and is working to mitigate the impact of the incident.
“On January 17th, 2024, a ransomware incident affected Schneider Electric Sustainability Business division. The attack has impacted Resource Advisor and other division specific systems,” the firm said.
RELATED WHITEPAPER
“Schneider Electric Global Incident Response team has been immediately mobilized to respond to the attack, contain the incident, and to reinforce existing security measures.”
The company emphasized that the Sustainability Business segment is an “autonomous entity” within the company and that no other areas of the Schneider Electric group have been affected by the attack.
“From a forensic analysis standpoint, the detailed analysis of the incident continues with leading cyber security firms and the Schneider Electric Global Incident Response team continuing to take additional actions based on its outcomes, working with relevant authorities,” the firm added.
Schneider Electric is the latest in a growing list of Cactus victims
The Cactus ransomware group is a newcomer to the global threat landscape, and has been active since “at least March 2023”, according to analysis from Quorum Cyber.
Cactus operates under a ‘ransomware as a service’ model and has quickly risen to prominence in recent months, adding more than 100 victims to its dark web leak site.
The group has been observed exploiting corporate VPN appliances to gain initial access to corporate networks. The group’s malware is then able to encrypt itself to “protect the ransomware binary”, according to Quorum Cyber.
This makes it harder to detect and gives it the ability to evade antivirus and network monitoring tools.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
US energy contractor ENGlobal reveals ransomware attackNews The federal supplier said access to its IT systems was limited as it works to recover
-
Schneider Electric confirms breach after hacker claims to have 40GB of stolen dataNews A hacker claimed to have stolen 400,000 rows of user data from Schneider Electric and took to social media to taunt the French multinational
