Schneider Electric Confirms Data Accessed in Ransomware Attack

Written by

Energy firm Schneider Electric has revealed it has fallen victim to a ransomware attack, leading to data from its Sustainability Business division being accessed.

The Cactus ransomware group has reportedly claimed responsibility for the attack, purportedly stealing terabytes of corporate data in the process.

The company said the incident took place on January 17, 2024, with its incident response team working to respond to and contain the attack.

Schneider has informed impacted customers of the breach. Customers of its Sustainability Business enterprise consulting arm include major brands such as Hilton, Pepsico, and Walmart.

Currently, it is not clear what information was accessed in the incident.

Schneider stated: “The on-going investigation shows that data have been accessed. As more information becomes available, the Sustainability Business division of Schneider Electric will continue the dialogue directly with its impacted customers and will continue to provide information and assistance as relevant.”

A number of division specific systems have been taken offline as a result of the attack, including Resource Advisor.

In the update on January 29, Schneider said its global incident response team is performing remediation steps to securely restore its systems. The company expects that access to its business platforms will resume in the next two business days.

The energy giant confirmed that no other entity within the Schneider Electric group has been affected, as its Sustainability Business is an autonomous entity operating in an isolated network infrastructure.

The investigation into the incident is continuing, with Schneider working with cybersecurity firms and “relevant authorities” to gain a detailed analysis.

Critical Infrastructure Under Threat

Stephen Robinson, Senior Threat Intelligence Analyst at WithSecure, noted that Schneider was a victim of LockBit’s MOVEit ransomware campaign in 2023, and it is concerning the company have been compromised again so soon afterwards.

“Energy companies hold huge amounts of PII which not only has value on the dark web but is excellent leverage for cyber attackers when demanding a ransom,” he stated.

Darren Williams, CEO and Founder at BlackFog, noted that this incident, which potentially involves data being stolen from major companies, could have a wide-ranging impact.

“In particular, the energy sector is a prime target due to its potentially lucrative rewards, if successful, and the maximum chaos caused by its widespread public reach. Naturally, with high-profile customers including Hilton and PepsiCo, Schneider Electric fit the bill,” said Williams.

Prominent energy firms impacted by ransomware attacks in 2023 included Tata Power, Suncor Energy and Energy One.

In December 2023, data from SecurityScorecard found that 90% of the world’s biggest energy companies have suffered a supply chain data breach in the past 12 months.

Earlier in January, two major water providers, Southern Water in the UK and the North American subsidiary of Veolia Water, revealed they had been hit by ransomware attacks leading to personal data being accessed.

Cactus Group Increasingly Active

Robinson noted that the Cactus group, which claimed to have compromised Schneider, has been increasingly active in recent months.

“They are a multipoint extortion group who first appeared in March 2023, and their TTPs follow the standard ransomware playbook, making use of well-known tooling and methods,” he explained.

“During multiple of their initial attacks in 2023, Cactus gained access to victim networks via vulnerable VPN gateways, often Fortinet VPN instances,” Robinson added. 

Update February 1: Schneider has published a statement confirming that access to Sustainability Business division business platforms reopened on January 31, 2024. 

Image credit: Poetra.RH /

What’s hot on Infosecurity Magazine?