Cyber Incident Victim: Schneider Electric
Date:
Jan 2024
Location:
France
Summary
Schneider Electric experienced a ransomware attack by the Cactus group targeting its Sustainability Business division, resulting in data theft and disruptions to its Resource Advisor cloud platform. The attackers claimed to have stolen terabytes of corporate data, threatening to leak it unless a ransom is paid; the compromised information may include sensitive customer details related to energy usage, industrial systems, and regulatory compliance. The company confirmed the incident was isolated to the division's autonomous network infrastructure, with remediation efforts underway to restore affected systems while collaborating with cybersecurity firms and authorities to investigate the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 17, 2024, Schneider Electric’s Sustainability Business division suffered a ransomware attack attributed to the Cactus group, resulting in data theft and operational disruptions. The attack compromised the division’s isolated network infrastructure, specifically impacting its Resource Advisor cloud platform, which provides enterprise clients with renewable energy consulting and climate regulatory compliance services. Outages affecting the platform persisted beyond the initial attack date, though Schneider Electric stated no other divisions within the multinational corporation were breached due to the division’s autonomous network architecture. Threat actors exfiltrated terabytes of corporate data during the intrusion, with the ransomware group threatening to leak the information unless Schneider paid an unspecified ransom. While the exact content of the stolen data remains unconfirmed, the compromised division’s operations suggest potential exposure of sensitive client information, including power utilization metrics, industrial control system details, and environmental compliance records. Affected customers include Allegiant Travel Company, Clorox, DHL, DuPont, Hilton, Lexmark, PepsiCo, and Walmart. Schneider Electric engaged third-party cybersecurity firms and its Global Incident Response team to conduct forensic analysis, working alongside authorities to investigate the scope of data access. The company initiated remediation efforts to restore affected systems within a secure environment, with testing underway to resume platform access within two business days of its January 29 statement.
Schneider Electric confirmed the Sustainability Business division’s data was accessed but emphasized containment to that entity, noting no broader organizational compromise. Recovery efforts prioritized isolating and restoring the Resource Advisor platform while maintaining direct communication with impacted customers regarding data exposure risks. The company did not disclose whether it would pay the ransom or comment on the attackers’ leverage of stolen data, though Cactus ransomware’s established double-extortion tactics historically involve leaking data from non-paying victims. Schneider’s prior experience with cyber incidents, including the 2023 Clop ransomware exploitation of MOVEit vulnerabilities affecting over 2,700 organizations, informed its response protocols. The incident occurred as the €34 billion-revenue company prepared to release its 2023 financial results, with the Sustainability Business division’s operational disruptions representing a localized but strategically significant breach given its role in global climate advisory services. Forensic analysis and system testing continued as of the latest update, with Schneider committing to ongoing customer dialogue as the investigation progresses.