Schneider Electric Zapped by Cactus Ransomware Gang in Latest Energy Sector Cyber Attack

Schneider Electric is working to restore parts of its cloud platform following a cyber attack that saw the Cactus ransomware Gang steal sensitive corporate data from its Sustainability division.

And according to a report by Bleeping Computer, the Cactus ransomware gang is now extorting the company by threatening to leak the stolen data if a ransom demand is not paid. 

Cactus reportedly stole terabytes of sensitive data from the French energy giant and disrupted its Resource Advisor cloud platform – which continues to suffer outages today. 

It’s not yet known what type of data was stolen, but its Sustainability Business division provides consulting services to multiple large companies worldwide including the likes of Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo, and Walmart.

It's possible that the stolen data could contain sensitive information about these companies' power utilization, industrial control and automation systems, as well as their compliance with environmental and energy regulations.

In a statement, Schneider Electric confirmed that its Sustainability Business division suffered a cyberattack and that data was accessed by the threat actors. However, the company says the attack was restricted to this one division and did not impact other parts of the company.

"From a recovery standpoint, Sustainability Business is performing remediation steps to ensure that business platforms will be restored to a secure environment. Teams are currently testing the operational capabilities of impacted systems with the expectation that access will resume in the next two business days.

“As Sustainability Business is an autonomous entity operating its isolated network infrastructure, no other entity within the Schneider Electric group has been affected.” 

Cyber surge in the energy sector

Schneider Electric is a French multinational company that manufactures energy and automation products including everything from household electrical components to enterprise-grade industrial control and building automation products.

The company was previously targeted in last year's large-scale MOVEit data theft attacks by the Cl0p ransomware gang, which impacted over 2,700 companies over the course of several months, 

It’s also not the first energy company to be targeted by Ransomware gangs. A recent report by Rockwell Automation found Energy companies currently face as much as 39% of all cyber attacks in the world, and cybercrime is surging across the sector. 

“The attack on Schneider Electric follows a trend of cyberattacks against the energy sector. The energy sector is a popular target for ransomware due to playing a vital role in society's daily functioning – disruption can have far-reaching consequences,” Stephen Robinson, Senior Threat Intelligence Analyst at WithSecure told Em360Tech. 

“Energy companies hold huge amounts of PII which not only has value on the dark web but is excellent leverage for cyber attackers when demanding a ransom.” 

“it was Schneider Electric's Sustainability Business enterprise consulting arm that was compromised. Its customers include mega-companies such as Hilton, Pepsico, and Walmart, and it is very likely that they hold sensitive data belonging to these companies,” Mr Robinson added. 

Who is the Cactus ransomware gang?

The Cactus ransomware gang is a multipoint extortion group that first appeared in March 2023, and their TTPs follow the standard ransomware playbook, making use of well-known tooling and methods. 

Like all ransomware operations, Cactus hackers breach corporate networks through purchased credentials, partnerships with malware distributors, phishing attacks, or by exploiting vulnerabilities. During multiple of their initial attacks in 2023 for instance, the gang gained access to victim networks via vulnerable VPN gateways, often Fortinet VPN instances.

Once they gain access to a network, the Catcus ransomware gang quietly spreads to other systems while stealing corporate data on servers. They then conduct double-extortion attacks, which is when they demand a ransom and promise to destroy and not leak stolen data.

During multiple of their initial attacks in 2023, the gang gained access to victim networks via vulnerable VPN gateways, often Fortinet VPN instances.

Schneider Electric is yet to confirm if the Cactus ransomware brand was responsible for the attack, and they have not as yet been listed on the group's leak site. 

But Cactus has become increasingly active in recent months. So far, there are over 80 companies listed on Cactus' data leak site whose data has been leaked or the hackers are threatening to leak if they don’t pay up.

Taking place on February 6-7,  CDAO UK brings some of the UK’s most senior positions within data and analytics from a cross-industry setting together under one roof for two days filled with of learning, networking and discussion around topics commonly faced by the community.

With a specific focus day included for Finance Services, as well as 50 speakers across Governance, Manufacturing, Healthcare, Transportation and much more, attendees can hear insights that will maximise the value of your data and innovate the strategies used within your organisation.

Speakers will share insights into data strategies, governance, quality and management whilst sharing real-world use cases, discussing common challenges and addressing ways to maximise business impact.

REGSITER TODAY and secure your place for the UK's most senior data and analytics event!