Siemens Energy, Schneider Electric Targeted by Ransomware Group in MOVEit Attack

Energy giants Schneider Electric and Siemens Energy have confirmed being targeted by a ransomware group in the recent campaign exploiting a vulnerability in Progress Software’s MOVEit managed file transfer (MFT) software.

The Cl0p ransomware group claims to have exploited a MOVEit zero-day vulnerability to access the files of hundreds of organizations that had been using the MFT product. Several major companies have confirmed being hit and the cybercriminals have started naming victims that refuse to pay up. 

This week, the hackers added over a dozen more alleged victims to their leak website. Germany-based Siemens Energy, a spinoff of Siemens’ energy business, and France-based automation and energy management giant Schneider Electric are among the companies named this week on the Cl0p site.

Siemens Energy has confirmed for SecurityWeek that it’s among the targets of the MOVEit attack and said it took immediate action in response to the incident.

“Based on the current analysis no critical data has been compromised and our operations have not been affected,” the company said in an emailed statement. 

Schneider Electric told SecurityWeek that the company became aware of the MOVEit software zero-day on May 30 and promptly deployed mitigations to secure data and infrastructure. 

“Subsequently, on June 26th, 2023, Schneider Electric was made aware of a claim mentioning that we have been the victim of a cyber-attack relative to MOVEit vulnerabilities. Our cybersecurity team is currently investigating this claim as well,” the company said.

Other major organizations listed recently by Cl0p on its leak website include Sony, EY, PwC, Cognizant, AbbVie and UCLA, but it’s unclear if all of them have been targeted in the MOVEit attack. SecurityWeek has reached out to each of them for comment. 

The attackers have started leaking data allegedly stolen from energy giant Shell, which has confirmed being targeted in the MOVEit attack. SecurityWeek has reached out to Shell as well. 

Some evidence suggests that the cybercriminals have known about the MOVEit zero-day vulnerability since 2021, but mass attacks only started in late May 2023. 

While some government organizations have also confirmed being impacted, the hackers claim they have deleted all the data obtained from such entities, noting that they are financially motivated and “do not care about politics”. They allegedly deleted data obtained from more than 30 government and government-related organizations. 

The cybercriminals also claim on their website that they are the only group to have exploited the zero-day before it was patched and they are the only ones in possession of the data obtained as a result of the attack. 

UPDATE: EY and UCLA have responded to SecurityWeek’s request for comment. Their response has been included in a follow-up article focusing on the number of known victims.

Related: Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack

Related: MOVEit Customers Urged to Patch Third Critical Vulnerability

Related: New MOVEit Vulnerabilities Found as More Zero-Day Attack Victims Come Forward