Schneider Electric has confirmed that company data was stolen during a ransomware attack waged by the Cactus threat group.
A ransomware incident on January 17 affected the firm’s Sustainability Business segment, which included its Resource Advisor system and other “division specific systems”, the firm said.
Customers were warned at the time, but the full extent of the breach is now being understood with the release of additional guidance.
The Cactus ransomware gang claims to have stolen around 1.5TB of data from Schneider Electric, according to reports, and has threatened to publish this online if a ransom demand is not met.
25MB of stolen data was uploaded to the group’s dark web leak site in a bid to prove the veracity of its claims, which included images of US citizens’ passports and scans of non-disclosure agreement documents. Aside from this snippet, it remains unclear precisely what data has been stolen by the group.
Schneider Electric’s Sustainability Business unit provides consultancy services to a range of organizations globally, including Hilton, PepsiCo, and Walmart.
The company said it has informed potentially at-risk customers of the breach and is working to mitigate the impact of the incident.
“On January 17th, 2024, a ransomware incident affected Schneider Electric Sustainability Business division. The attack has impacted Resource Advisor and other division specific systems,” the firm said.
Discover how you can account for everything that consumes energy across your portfolio of sites
“Schneider Electric Global Incident Response team has been immediately mobilized to respond to the attack, contain the incident, and to reinforce existing security measures.”
The company emphasized that the Sustainability Business segment is an “autonomous entity” within the company and that no other areas of the Schneider Electric group have been affected by the attack.
“From a forensic analysis standpoint, the detailed analysis of the incident continues with leading cyber security firms and the Schneider Electric Global Incident Response team continuing to take additional actions based on its outcomes, working with relevant authorities,” the firm added.
Schneider Electric is the latest in a growing list of Cactus victims
The Cactus ransomware group is a newcomer to the global threat landscape, and has been active since “at least March 2023”, according to analysis from Quorum Cyber.
Cactus operates under a ‘ransomware as a service’ model and has quickly risen to prominence in recent months, adding more than 100 victims to its dark web leak site.
The group has been observed exploiting corporate VPN appliances to gain initial access to corporate networks. The group’s malware is then able to encrypt itself to “protect the ransomware binary”, according to Quorum Cyber.
This makes it harder to detect and gives it the ability to evade antivirus and network monitoring tools.
