Schneider Electric has been the victim of a cyberattack that hit its Sustainability Business division, and reports so far have attributed it to a growing ransomware operation called “Cactus.”
Schneider Electric is a world leader in industrial manufacturing, whether it be industrial automation equipment and control systems, building automation, energy storage and more. According to a press release by the industrial giant, the damage resulting from the January 17 violation was limited only to the sustainability division, which provides software and consulting services to businesses, and did not affect any safety-critical systems.
However, the company faces potential repercussions if its customers’ business data is disclosed. According to Bleeping Computer, the Cactus ransomware gang, a relatively young but prolific group, claimed responsibility for the attack. (When Dark Reading contacted Schneider Electric for confirmation, the company neither confirmed nor denied this attribution.)
What happened to Schneider Electric
Schneider Electric has not yet disclosed the extent of the data that may have been lost by its attackers, but it has acknowledged one affected platform: Resource Advisor, which helps organizations monitor and manage their ESG, energy and sustainability data.
The attack was entirely limited to the platforms and operations associated with the Sustainability division because, the company explained, it is “an autonomous entity that operates its own isolated network infrastructure.”
The company also noted that it has already notified affected customers and expects business operations to return to normal by January 31.
But this may not be the end of the story, as Schneider Sustainability serves a wide range of organizations in more than 100 countries, including 30% of Fortune 500 companiesstarting in 2021. Having so many potentially affected customers can impact how the company deals with a ransom request.
What you need to know about Cactus ransomware
Cactus isn’t even a year old yet and arrived on the ransomware scene last March. However, he is already one of the most prolific actors on the planet.
According to data from the NCC Group, shared with Dark Reading via email, Cactus has claimed double-digit victims almost every month since last July. The busiest periods so far were in September, when 33 scalps were taken, and in December, 29 scalps, making it the second busiest group in that period, behind only LockBit. Its approximately 100 victims so far have spanned 16 industries, most commonly automotive, construction and engineering, as well as software and IT.
But it’s not for some discernible technical reason that it achieved such rapid results, says Vlad Pasca, senior malware and threat analyst for SecurityScorecard, who wrote a white paper on the group last autumn. In general, Cactus relies only on known vulnerabilities and standard software.
“Initial access is gained using Fortinet VPN vulnerabilities, then they use tools like SoftPerfect Network Scanner and PowerShell to enumerate hosts in the network and do some lateral movement,” Pasca says. Perhaps, he suggests, the banality of Cactus is the lesson to be learned from the Schneider Electric story: “even if you have a large budget for cybersecurity, you could still be affected by such basic vulnerabilities.”