SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Cactus Ransomware Group Confirms Hacking Schneider Electric

Cactus ransomware has added Schneider Electric to its leak site, claiming to have stolen 1.5 terabytes of data.

The Cactus ransomware gang has claimed responsibility for the cyberattack that French industrial giant Schneider Electric disclosed at the end of January.

The incident, the company said at the time, was discovered on January 17 and only impacted its Sustainability Business division, resulting in severed access to Resource Advisor and other systems used by the division.

Schneider Electric has since updated its incident notification to say that it has restored access to the impacted systems and that the attackers exfiltrated certain Sustainability Business data.

Initial reports suggested that the Cactus ransomware group might have orchestrated the attack, and the suspicions have been confirmed, after the gang listed the French giant on its Tor-based leak website.

According to Cactus, roughly 1.5 terabytes of data were exfiltrated from Schneider Electric’s systems. The ransomware gang has published a small set of allegedly stolen data, including copies of passports and non-disclosure agreements, and is threatening to make it all public unless a ransom is paid.

Schneider Electric’s Sustainability Business provides sustainability consulting services to large organizations worldwide, including Clorox, DHL, Hilton, and PepsiCo. However, it is unclear how many of these clients were affected by the incident.

Active since at least March 2023, Cactus made headlines in November, when security operations firm Arctic Wolf blamed it for the exploitation of vulnerabilities in a product of business analytics firm Qlik.

Advertisement. Scroll to continue reading.

It was also observed exploiting Fortinet VPN flaws for initial access, creating an SSH backdoor for persistence, relying on remote access tools, stealing credentials, and encrypting data on all accessible systems.

Cactus has been highly active in the recent months and is currently listing more than 100 companies on its leak site.

Related: Ransomware Group Takes Credit for LoanDepot, Prudential Financial Attacks

Related: US Offers $10 Million for Information on BlackCat Ransomware Leaders

Related: Ransomware Attack Knocks 100 Romanian Hospitals Offline

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: How Modern Breaches Bypass MFA and Evade Detection
June 17, 2026

Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes.

Register

Webinar: Modern Exposure Validation in the AI Era
June 24, 2026

AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program.

Register

People on the Move

Stephen Garcia has been named Chief Information Security Officer at BreachRx.

Kasper Lindgaard has been appointed Vice President of Security Strategy at CoreView.

Chaim Mazal has been named Chief Information Security Officer at GitLab.

More People On The Move

Expert Insights

Popular Topics

Security Community

Stay Intouch

About SecurityWeek

News Tips

Got a confidential news tip? We want to hear from you.

Submit Tip

Advertising

Reach a large audience of enterprise cybersecurity professionals

Contact Us

Daily Briefing Newsletter

Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.