Schneider Electric hit by Cactus Ransomware cyber attack
Global energy company Schneider Electric has disclosed a ransomware attack that affected its sustainability division, affecting a number of systems.
The French multinational, which operates in Australia and other countries, said yesterday (29 January 2024) that the attack occurred on 17 January 2024, affecting the company’s “Sustainability Business” division.
A number of systems, including the company’s Resource Advisor, were affected by the attack. Schneider Electric has said that it has informed affected customers and launched its global incident response team to bolster its security measures and contain the incident.
It added that the incident was limited to only its Sustainability Business division and that no other entities were affected. It also said that operations and “access to business platforms” would return to normal in “the next two business days” at the time of its post.
Schneider has broken down the response into four key parts – recovery, containment, impact assessment, and forensic analysis.
“From a recovery standpoint, Sustainability Business is performing remediation steps to ensure that business platforms will be restored to a secure environment,” the company wrote.
“Teams are currently testing the operational capabilities of impacted systems with the expectation that access will resume in the next two business days.
“From a containment standpoint, as Sustainability Business is an autonomous entity operating its isolated network infrastructure, no other entity within the Schneider Electric group has been affected.
“From an impact assessment standpoint, the ongoing investigation shows that data have been accessed. As more information becomes available, the Sustainability Business division of Schneider Electric will continue the dialogue directly with its impacted customers and will continue to provide information and assistance as relevant.
“From a forensic analysis standpoint, the detailed analysis of the incident continues with leading cyber security firms and the Schneider Electric global incident response team continuing to take additional actions based on its outcomes, working with relevant authorities.”
While the company did not disclose the name of the attack nor the nature of the attack beyond being a ransomware incident, threat feeds observed by Cyber Daily have suggested that the Cactus Ransomware group is behind the incident.
However, upon further investigation by Cyber Daily, Cactus has yet to list Schneider Electric on its leak site and has not said anything regarding the incident.
Cactus Ransomware first appeared in March 2023 and is known for its double-extortion methods, both encrypting and threatening to publish accessed data.
It is also known for gaining initial access to company systems through the exploitation of VPN vulnerabilities before deploying its SSH backdoor, which allows for not only unauthorised access but also continuous presence under the radar.