Schneider Electric, the French energy management and automation giant, is facing a new cyber crisis. This global leader in energy solutions, which covers a range of sectors from residential housing to critical infrastructure and industry, has once again fallen victim to a cyber attack. A ransomware group, named Hellcat, has claimed responsibility for hacking into the company’s Atlassian Jira system, gaining access to sensitive data. Let’s take a look back at this landmark cyberattack, which raises many questions about the IT security of major corporations.
Background to the incident
On November 4, 2023, Schneider Electric confirmed that it had suffered an intrusion into its internal project tracking system, hosted in an isolated environment. Attackers used administrator access to penetrate Schneider Electric’s Jira instance, compromising critical information such as projects, technical issues and plugins. The attack resulted in the theft of over 40 GB of compressed data.
Contacted by Bleeping Computer, Schneider Electric confirmed the attack: “Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms, which is hosted in an isolated environment. Our global incident response team was immediately mobilized to respond to the incident: Schneider Electric products and services are not affected.”
The hackers’ strange ransom demand
One of the most surprising elements of this attack is an unusual ransom demand. The Hellcat hackers seem to have a peculiar sense of humor: they are demanding that Schneider Electric pay the ransom of 125,000 USD (around 115,000 euros) in… chopsticks! Of course, this unusual demand is a joke, as the real ransom is demanded in Monero, a cryptocurrency that preserves the anonymity of transactions.
Although this “baguette” ransom demand seems surprising, it could be part of a visilibity strategy for this new ransomware group. Hüseyin Can Yuceel, security researcher at Picus Security, told Forbes that: “Ransomware is a business model, and we can consider this strange demand for baguettes as a marketing stunt” For the researcher it is likely that the Hellcat group, a newcomer to the competitive criminal ransomware scene, is “trying to attract attention and establish trust among future victims and associates for a possible Ransomware-as-a-Service operation”.
Hellcat also stated that in the event of Schneider Electric’spublic acknowledgement of the incident, they would be willing to reduce the ransom by 50% if Schneider Electric’s new CEO, Olivier Blum, admits to having the data stolen “It’s your choice Olivier,” said Grep one of the main players in the threat. This tactic is probably intended to encourage a rapid response from the company, while playing on the public dimension of corporate reputation. The deadline for payment of the ransom is November 7, after which Hellcat has promised to release the stolen data.
On Monday, Hellcat, previously named ICA, had also added 2 more new victims to its darkweb portal: the Jordanian Ministry of Education and Tanzania’s College of Business Education.
Access method
The hackers claimed to have exploited root access to the Jira system. Although they did not detail how this access was gained, presumably via poorly protected credentials, it is clear that it enabled them to scrape massive amounts of data. Once the server had been penetrated, the hackers used a MiniOrange REST API to steal 40 GB of sensitive information, which they then segmented into files of 300 MB each before saving them elsewhere.
The impact on Schneider Electric
The timing of this attack couldn’t have been worse for Schneider Electric. The incident coincided with the appointment of new CEO Olivier Blum, making his first week in office particularly tumultuous.
According to available information, the compromised data includes not only details of internal projects, but also personal information from over 400,000 lines of user data. This would represent, according to what Grep told BleepingComputer, 75,000 unique e-mail addresses and full names for Schneider Electric employees and customers.
This type of cyber-attack can affect the trust of customers and business partners, as well as tarnishing the company’s brand image.
Schneider Electric reactions and investigations
Schneider Electric immediately launched an in-depth investigation to understand the extent of the breach and identify exploitable vulnerabilities. The company’s initial response emphasizes the isolated nature of the compromised system and the measures taken to contain the threat.
This is the third cyberattack in 18 months to hit Schneider Electric. After being hit by Cl0p in June 2023, during large-scale attacks using a vulnerability in the MOVEit file transfer tool, the “Sutainability Business” division had been targeted by Cactus ransomware in January 2024.
The consequences of ransomware attacks for the industry
This attack illustrates once again how vital it is for businesses of all sizes to implement robust cybersecurity strategies. The massive theft of sensitive data deteriorates the relationship of trust between companies and their stakeholders, which can have lasting effects on performance and reputation.
Data integrity
Maintaining the integrity and confidentiality of data is becoming a key priority. Companies need to invest in cutting-edge technologies to detect and respond rapidly to incidents. They must also actively collaborate with the authorities to combat these threats effectively.
To limit the risks of such attacks, several measures can be put in place. Firstly, adopt a “Zero Trust” approach where every access attempt is strictly verified, even internally. Secondly, keep all software and infrastructure up to date, apply security patches promptly and continually train employees to recognize potential threats.
Accountability and transparency
When dealing directly with consumers and partners, companies need to be transparent about the measures taken in response to cyber attacks. Communicating openly about the steps taken to rectify flaws and protect data helps to regain lost trust.
The Schneider Electric affair is a reminder of how imperative it is for large companies to strengthen their defenses against cyber threats. Whether through improved API security, strict enforcement of security policies or transparency with the public, every aspect counts to ensure resilience in the face of exponential ransomware attacks.
