Cyber Incident Victim: Schneider Electric
Date:
May 2023
Location:
United States of America
Summary
Schneider Electric was breached as part of a mass-exploitation campaign targeting a zero-day vulnerability in the MOVEit file-transfer application. The attack was attributed to the Clop ransomware group, which exploited the flaw to gain unauthorized access to systems. The company promptly deployed available mitigations to secure its data and infrastructure upon becoming aware of the incident. The breach was part of a wider hacking spree that impacted numerous other organizations globally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around May 27, 2023, the initial signs of a mass exploitation campaign targeting a critical zero-day vulnerability in the MOVEit Transfer file-transfer service were observed. The MOVEit service, provided by Progress Software, is available in both cloud and on-premises offerings and is widely used by organizations globally. The vulnerability, tracked as CVE-2023-34362, was a SQL injection flaw, a type of vulnerability resulting from preventable coding practices. The threat actor responsible for these attacks was identified by Microsoft as Clop, a Russian-speaking ransomware syndicate known for its high level of activity and prolific attacks. This group had recently conducted a similar mass exploitation campaign against a different file-transfer service, GoAnywhere, exploiting CVE-2023-0669 and breaching over 100 organizations.
The exploitation spree rapidly impacted numerous victims. Among the first confirmed organizations breached were the payroll service provider Zellis and the Canadian province of Nova Scotia. The compromise of Zellis had a cascading effect, leading to data theft from several of its major customers, including British Airways, the BBC, Aer Lingus, Ireland's Health Service Executive (HSE), and UK retailer Boots. Other early victims included two entities within the US Department of Energy, the states of Missouri and Illinois, the American Board of Education Extreme Networks, and Ofcam. Driver's license data for millions of citizens in the states of Oregon and Louisiana was also stolen in these attacks, and reports indicated the US Department of Agriculture may have been affected as well.
Progress Software, the provider of MOVEit, developed a patch for the critical vulnerability and released it on May 31, 2023, four days after the first signs of exploitation. Despite the availability of a fix, many organizations continued to be compromised because they had not yet installed the patch on their networks. The incident continued to evolve with new victims being disclosed. Based on posts published by the Clop crime group and disclosures from victims, the antivirus company Emsisoft estimated that, at the time of reporting, the hacking spree had breached 122 organizations and obtained the data of approximately 15 million people.
In the days following the patch release, additional high-profile victims were confirmed. The Clop group named Siemens Electric as a victim on its data leak site. Company officials confirmed the breach, stating that their systems had been compromised in the Clop campaign. A Siemens Electric representative reported that based on their analysis, no critical data had been compromised and their operations were not affected. The company stated it took immediate action upon learning of the incident.
The Clop group also publicly named Schneider Electric as another victim of the mass exploitation campaign. On May 30, 2023, Schneider Electric became aware of the vulnerabilities impacting the Progress MOVEit Transfer software. The company issued a statement confirming it had promptly deployed available mitigations to secure its data and infrastructure and had continued to monitor the situation closely. The specific nature of the data impacted at Schneider Electric was not detailed in the initial disclosure.
Another significant victim, the New York City Department of Education, came forward on the evening of Saturday, June 3rd. The department's chief operating officer, Emma Vadehra, confirmed it had been hit in the Clop campaign. A review of the impacted files was ongoing, but preliminary results indicated that approximately 45,000 students, in addition to Department of Education staff and related service providers, were affected. Roughly 19,000 documents were accessed without authorization. The types of data impacted included Social Security Numbers and employee ID numbers; it was noted that not all impacted individuals had their Social Security Numbers compromised, with approximately 9,000 such numbers included in the stolen data.
The Clop group utilized its data leak site to publicly name victims and pressure them into negotiations, a common tactic for ransomware syndicates. The group had a history of such operations, and the MOVEit campaign represented another large-scale attack leveraging a zero-day vulnerability in a widely deployed enterprise application. The consequences for victims varied but primarily involved the large-scale theft of sensitive personal, financial, and governmental data. The full scope of the incident continued to be assessed as more organizations reviewed their systems for signs of compromise and determined what data may have been exfiltrated. The event underscored the significant risk posed by vulnerabilities in commonly used third-party software and the rapid, widespread damage that can result from their exploitation by determined threat actors.