On Sunday the Cactus ransomware gang claimed it stole 1.5 terabytes of data from Schneider Electric during an attack that occurred last month against the OT manufacturer. The ransomware group posted 25 megabytes of the data online as proof of its attack.
In a response on its website, Schneider Electric confirmed that “certain data” from its Sustainability Business Division was obtained by the threat actor.
While the full extent of the data stolen was not 100% certain, published reports said the threat actor posted snapshots showing the passports of several American citizens and scans of non-disclosure agreements. The threat actor, which first came on the scene in March 2023 and focuses on double extortion techniques, was also reportedly in ransom negotiations with Schneider Electric.
Given that the large French manufacturer does business with numerous global manufacturers, retailers, and logistics companies, security researchers were concerned about this latest news.
“Now that the Cactus group has shown ‘proof of life,’ you can be certain that major customers of Schneider are exerting significant pressure on them to make what will likely be a record ransomware payment to forestall the release of the mountains of sensitive data,” said John Gunn, chief executive officer at Token. “In this instance, the cybercriminals hold all the cards as even Schneider probably doesn’t know with certainty what was stolen and which customers it will impact.”
Gunn said it's undoubtedly another example of a massive ransomware loss similar to the $100 million loss by MGM last fall. Gunn added that almost all these losses are the result of companies relying on 20-year-old legacy MFA technology to stop sophisticated generative AI-driven phishing attacks. “What could possibly go wrong with that scenario?” posed Gunn. “Well, here’s your answer, once again.”
Melvin Lammerts, Hacking Lead at Hadrian, pointed out that based on the available information, the threat actors got ahold of customer and/or employee data, including PII and the passport scans.
“This information is often stored with contracts and not in a secure separate vault,” explained Lammerts. “Given the size of the leak, it’s likely that the attackers have gained access to a large number of documents.”
Chris Clymer, director and CISO at Inversion6, added that what he finds most interesting about this attack is that Schneider Electric has had vulnerabilities publicly reported by CISA in various software packages almost every month recently.
Clymer said some of these vulnerabilities have had CVSS scores as high as 9.8, which signifies that they are easy to exploit, and remotely accessible. OT vendors like this have generally lagged traditional IT vendors in providing proper software support and security, said Clymer.
“This mattered less when such systems were isolated, but modern networks often make OT systems accessible, and thereby exploitable…precisely why CISA tracks and reports these issues,” said Clymer. “Being victim to the MoveIT attack, this latest one, and the string of severe vulnerabilities begin to paint a picture. If I were a stockholder, I would be asking tough questions about the state of their cybersecurity program, if SE thinks it's adequate, and what they are doing to put a lid on these events.”
Callie Guenther, senior manager, cyber threat research at Critical Start, added that while there’s no information indicating whether Schneider Electric intends to pay a ransom, companies often refrain from disclosing their negotiation tactics or decisions regarding ransom payments, as doing so could influence the actions of future attackers.
“The decision to pay a ransom involves complex considerations, including the value of the stolen data, the likelihood of data recovery, legal implications, and the potential encouragement of future attacks,” explained Guenther.