Schneider Electric’s Sustainability Business division is dealing with a ransomware attack that also appears to have resulted in a data breach, the French industrial giant said on Monday.
According to the company, the incident is limited to its Sustainability Business division, which it has described as an “autonomous entity operating its isolated network infrastructure”.
Schneider Electric said the cyberattack has impacted Resource Advisor and other systems used by the targeted division, but it expects access to business platforms and operations to resume within two business days.
The attack was discovered on January 17 and the company’s investigation is ongoing, but some evidence suggests that the hackers have accessed data, including customer information.
Bleeping Computer reported that the Cactus ransomware group is behind the attack. However, the group has yet to list Schneider Electric on its Tor-based leak website.
The Cactus ransomware has been active since at least March 2023 and at the time of writing the group’s leak website shows 86 alleged victims.
The ransomware made headlines in November, when security operations firm Arctic Wolf reported that three vulnerabilities affecting a product of business analytics firm Qlik had been exploited for initial access. The attackers attempted to deploy the Cactus ransomware on compromised systems.
“Schneider Electric is yet to confirm if the Cactus ransomware brand were responsible for the attack, and they have not as yet been listed on the groups leak site, however Cactus has become increasingly active in recent months,” Stephen Robinson, senior threat intelligence analyst at WithSecure, told SecurityWeek.
“They are a multipoint extortion group who first appeared in March 2023, and their TTPs follow the standard ransomware playbook, making use of well-known tooling and methods. During multiple of their initial attacks in 2023, Cactus gained access to victim networks via vulnerable VPN gateways, often Fortinet VPN instances,” Robinson added.
This is not the first time Schneider Electric has been targeted by a ransomware group. The company was one of the many victims of the Cl0p gang’s massive MOVEit attack campaign.