Schneider Electric faces ransomware attack in Sustainability Business; Cactus group involved

Energy management and industrial automation firm Schneider Electric has confirmed a ransomware incident in its Sustainability Business division. The attack, believed to be carried out by the Cactus ransomware gang, has resulted in the theft of corporate data. While the company is working to restore access to its business platforms within the next two business days, the Resource Advisor cloud platform continues to experience outages. 

Schneider Electric’s Global Incident Response team is actively responding to the ransomware incident and reinforcing security measures. The cybersecurity incident highlights the persistent threat posed by the Cactus ransomware group.

News reports indicated that Schneider Electric suffered a Cactus ransomware attack leading to the theft of corporate data, according to people familiar with the matter. The attack disrupted some of Schneider Electric’s Resource Advisor cloud platform, which continues to suffer outages. “The ransomware gang reportedly stole terabytes of corporate data during the cyberattack and is now extorting the company by threatening to leak the stolen data if a ransom demand is not paid,” it added.

While it is not known what type of data was stolen, the Sustainability Business division provides consulting services to enterprise organizations, advising on renewable energy solutions and helping them navigate complex climate regulatory requirements for companies worldwide.

“On January 17th, 2024, a ransomware incident affected Schneider Electric Sustainability Business division. The attack has impacted Resource Advisor and other division-specific systems,” according to a statement released Tuesday by Schneider Electric. 

The Schneider Electric Global Incident Response team has been immediately mobilized to respond to the attack, contain the incident, and reinforce existing security measures. Additionally, the Sustainability Business division has informed impacted customers.

From a recovery standpoint, Sustainability Business is performing remediation steps to ensure that business platforms will be restored to a secure environment, Schneider Electric identified. “Teams are currently testing the operational capabilities of impacted systems with the expectation that access will resume in the next two business days.”

It added that from a containment standpoint, as Sustainability Business is an autonomous entity operating its isolated network infrastructure, no other entity within the Schneider Electric group has been affected. “From an impact assessment standpoint, the ongoing investigation shows that data have been accessed. As more information becomes available, the Sustainability Business division of Schneider Electric will continue the dialogue directly with its impacted customers and will continue to provide information and assistance as relevant.” 

The statement also disclosed that from a forensic analysis standpoint, the detailed analysis of the incident continues with cybersecurity firms and the Schneider Electric Global Incident Response team continuing to take additional actions based on its outcomes, working with relevant authorities.

Industrial cybersecurity company Dragos said in November that Cactus accounted for 6.9 percent of incidents (16 incidents) during the third quarter last year.

Responding to the attack by the Cactus ransomware group on Schneider Electric, Darren Williams, CEO and founder, BlackFog wrote in an emailed statement that this Cactus ransomware attack on Schneider Electric joins the recent uptick of critical national infrastructure (CNI) attacks. “In particular, the energy sector is a prime target due to its potentially lucrative rewards, if successful, and the maximum chaos caused by its widespread public reach. Naturally, with high-profile customers including Hilton and PepsiCo, Schneider Electric fits the bill,” he added.

Williams said that the Cactus group, which has been around since March 2023, appears to favor CNI sector organizations as its victims, most recently leaking updated identity documents stolen from Peterson Health Care just over a month ago in December.

He also pointed out that the U.K.’s NCSC recently warned of exponential threat increases towards CNI in its annual review, particularly as global tensions are on the rise; preventative measures like anti-data exfiltration are the safest option for CNI companies to defend against nasty attacks like these.

Whether for IoT, OT (operational technology), or ICS (industrial control system) systems it has been a long-standing best practice to ensure these systems are on dedicated and isolated networks to prevent lateral movement if vulnerable IoT devices are breached, John Gallagher, vice president of Viakoo Labs at Viakoo, wrote in an emailed statement. “But this is not that situation; this is a business division and more like a fully separate company.”

He added that in addition to isolated or segmented networks, “effective use of zero trust principles can also be effective in preventing lateral movement within an organization.”

“Using application-based discovery to identify all application, device, and port relationships can also be effective in setting up and maintaining an isolated network,” according to Gallagher. “Too often a network is properly configured and isolated, but over time both users and configuration drift can impact that segmentation and allow punch-throughs.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.