Energy management and automation giant Schneider Electric suffered a ransomware attack carried out by the group calling itself Cactus, which led to the theft of corporate data, according to people familiar with the matter. The attack hit the company’s Sustainability Business division earlier this month and disrupted the EcoStruxure Resource Advisor cloud platform, which allows companies to collect, analyze and automate information important to their sustainability goals. It continues to suffer outages to this day.
The ransomware gang reportedly stole terabytes of corporate data during the cyber attack and is now extorting the company, threatening to leak the stolen data if the ransom demand is not paid. While it is not known what type of data was stolen, the Sustainability Business division provides consulting services to business organizations, advising on renewable energy solutions and helping them navigate complex climate regulatory requirements for companies around the world. The division’s clients include Allegiant Travel Company, Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo and Walmart.
The stolen data may contain sensitive information about customers’ energy usage, industrial automation and control systems, and compliance with environmental and energy regulations.
Schneider Electric confirmed to BleepingComputer that its Sustainability Business division suffered a cyber attack and that data was exfiltrated by ransomware operators. However, the company claims that the attack was restricted to this division and did not impact other company units. She did not say, however, whether the operations of the Sustainability Business division in other countries, such as Brazil, were affected.
Schneider Electric is a French multinational company that manufactures power and automation products ranging from household electrical components found in big-box stores to enterprise-grade industrial control and building automation products.
The company recorded revenue of US$28.5 billion in the first nine months of 2023 and employs more than 150,000 people worldwide.
This is not the first time that Schneider Electric has been the target of a cyber attack. In June last year, the company suffered a widespread data theft attack perpetrated by the Clop ransomware gang, which exploited a zero-day vulnerability in Progress Software’s managed file transfer application, affecting more than 2,700 companies.
How Cactus ransomware operates
The Cactus ransomware operation launched in March 2023 and has since racked up numerous companies claiming to have been breached in the group’s cyberattacks. Like all ransomware operations, threat actors breach corporate networks through acquired credentials, partnerships with malware distributors, phishing attacks, or exploiting vulnerabilities. Once it gains access to a network, ransomware silently spreads to other systems while stealing corporate data on servers.
After stealing the data and gaining administrative privileges on the network, the threat operators encrypt the files and leave ransom notes. In fact, they carry out double extortion attacks: they demand a ransom payment to provide a file decryptor and promise to destroy and not leak stolen data. For companies that don’t pay ransom, they leak the stolen data on a group leak website. Right now, there are more than 80 companies listed on the Cactus data breach website whose data has been leaked or who threaten that they will.
Source: CisoAdvisor