Schneider Electric Hit with Ransomware Attack

Schneider Electric has been hit with a Cactus ransomware attack leading to the theft of corporate data.

The ransomware gang now is reportedly extorting the company by threatening to leak the stolen data if a ransom demand is not paid, according to Bleeping Computer.

According to Schneider Electric’s statement on the attack, on Jan. 17, a ransomware incident affected its sustainability business division. The attack has impacted Resource Advisor and other division-specific systems. 

Schneider Electric mobilized its global incident response team to respond to the attack, contain the incident and reinforce existing security measures. Its sustainability business division has informed impacted customers.

Schneider Electric Recovery

“From a recovery standpoint, [the] sustainability business is performing remediation steps to ensure that business platforms will be restored to a secure environment,” the company said. “Teams are currently testing the operational capabilities of impacted systems with the expectation that access will resume in the next two business days. From a containment standpoint, as [the] sustainability business is an autonomous entity operating its isolated network infrastructure, no other entity within the Schneider Electric group has been affected.”

From an impact assessment standpoint, the ongoing investigation shows data has been accessed, the company said. As more information becomes available, the sustainability business division will continue the dialogue directly with its impacted customers, and will continue to provide information and assistance as relevant. 

“From a forensic analysis standpoint, the detailed analysis of the incident continues with leading cybersecurity firms and the Schneider Electric global incident response team continuing to take additional actions based on its outcomes, working with relevant authorities," it said.

Even Giants Can Be Victims

Yossi Rachman, senior director of research at Semperis, said this ransomware attack is another reminder that even giant, global organizations with world-class security professionals and incident responders on staff can still be victimized.

Semperis' Yossi Rachman

“Their attack surface, with 150,000 global employees, is massive,” he said. “And deliberate, motivated and persistent threat actors will eventually find a gap in the digital footprint of any company. The good news is that Schneider is working diligently to eliminate the remaining business disruptions this ransomware attack caused and hopefully they will be operating fully in the coming days.”

John Gallagher, vice president of Viakoo Labs at Viakoo, said whether for IoT, operational technology (OT), or industrial control systems (ICS), it has been a longstanding best practice to ensure these systems are on dedicated and isolated networks to prevent lateral movement if vulnerable IoT devices are breached. But this is not that situation. This is a business division and more like a fully separate company.

“In addition to isolated or segmented networks, effective use of zero-trust principles can also be effective in preventing lateral movement within an organization,” he said. “Using application-based discovery to identify all application, device and port relationships can also be effective in setting up and maintaining an isolated network. Too often, a network is properly configured and isolated, but over time both users and configuration drift can impact that segmentation and allow punch-throughs.”

Connection to Cactus Group

Sarah Jones, cyber threat intelligence research analyst at Critical Start, said the connection of the Schneider Electric attack to the Cactus ransomware group likely arises from two factors. Those include Cactus' history of targeting corporate networks and potential Qlik software use within Schneider Electric. Since Cactus previously exploited vulnerabilities in Qlik software, it further strengthens the Cactus connection.

Critical Start's Sarah Jones

“While Schneider Electric maintains confidentiality regarding the specifics of their sustainability business division's isolation, industry best practices suggest a layered approach,” she said. “This approach likely includes network segmentation to confine the division's IT infrastructure, minimizing the attack surface. Firewalls and security controls act as gatekeepers, restricting traffic flow and preventing lateral movement or data exfiltration. In more extreme cases, it is possible the division's network might be air-gapped, offering the strongest isolation, but at the potential cost of operational challenges.”

It’s also likely that Schneider Electric maintains dedicated security tools and personnel, enabling scanning for suspicious activity, and swift detection and response capabilities, Jones said.

“Additionally, access controls ensure only authorized individuals can access the systems, preventing unauthorized modifications, while sensitive data is likely encrypted at rest and in transit, providing an additional layer of protection," she said.