Ransomware, Critical Infrastructure Security

Ransomware attack claims Schneider Electric’s sustainability division

The headquarters of French electrical equipment giant Schneider Electric is seen in Rueil-Malmaison, outside Paris.

Large global energy management and automation manufacturer Schneider Electric said on Monday that it was responding to a ransomware attack on its Sustainability Business Division.

In an open letter posted on its website, Schneider Electric said the incident happened on Jan. 17 and affected Resource Advisor and other division-specific systems.

The large manufacturer with $36.8 billion in annual revenue and more than 160,000 employees worldwide said its teams are performing remediation steps to restore its business systems, and expected it to be back up and running in the next two business days. It also pointed out that the Sustainability Business division functions as a separate entity that operates its own isolated network infrastructure, so no other Schneider Electric divisions have been impacted.

“Schneider Electric's claim about the isolation of its Sustainability Business Division likely reflects their advanced cybersecurity measures,” explained Anurag Gurtu, chief product officer at StrikeReady. “Given their status as an operational technology (OT) company, such practices, including segmenting and air-gapping sensitive divisions, are crucial for minimizing the impact of attacks and preventing hackers from moving laterally within the network.”

Sarah Jones, cyber threat intelligence research analyst at Critical Start, added that the reported connection of the Schneider Electric attack to the Cactus ransomware group likely arises from two factors: Cactus' history of targeting corporate networks and potential Qlik software used within Schneider Electric. Jones said since Cactus previously exploited vulnerabilities in Qlik software, it further strengthens the Cactus connection.

“While Schneider Electric maintains confidentiality regarding the specifics of their Sustainability Business division's isolation, industry best practices suggest a layered approach,” said Jones. “This likely includes network segmentation to confine the division's IT infrastructure, minimizing the attack surface. Firewalls and security controls act as gatekeepers, restricting traffic flow and preventing lateral movement or data exfiltration. In more extreme cases, it’s possible the division's network might be air-gapped, offering the strongest isolation but at the potential cost of operational challenges.”

StrikeReady’s Gurtu pointed out that, regarding the involvement of the Cactus ransomware group as reported by Bleeping Computer, it's “intriguing” that Schneider Electric has not been listed on their Tor site.

“This could indicate a variety of possibilities, from a delay in the group's operations to a different attacker being responsible for this incident,” noted Gurtu.

On its LinkedIn page, the Schneider Electric Sustainability Division boasted about being named one of TIME’s most influential companies of 2023:

“Our team has helped 40% of the Fortune 500 companies achieve their goal of reducing emissions, and we have set our sights even higher. With our acquisition of various software and service providers, we are dedicated to achieving our goal of saving 800 million tons of CO2 emissions by 2025.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.