Inside the Schneider Electric Ransomware Attack

Takeaways from a double-extortion campaign that targeted one of the sector's largest OT suppliers.

Computer Crime Concept 516607038 2125x1416 (1)

In mid-January the ransomware-as-a-service group Cactus was able to infiltrate the networks of Schneider Electric’s Sustainability Business Division. The hackers reportedly stole 1.5 terabytes of data and began a double-extortion campaign that included releasing 25 megabytes of sensitive data. Included in this release was individual passport information and other data related to customers of the global energy management and automation company.

Cactus is one the fastest growing RaaS organizations, with claims to over 100 ransomware attacks within the last year. Their area of expertise appears to be in exploiting corporate VPN connections to obtain access to networks. Once inside, the group deploys a malware strain that not only encrypts the victim’s data, but in a manner that has proven difficult to detect and capable of evading many antivirus and network monitoring tools.

Details on the amount of the ransom being demanded, or the company’s response to it, were not made public. However, Schneider did issue a response 12 days after the attack stating that the company’s teams had begun performing remediation steps immediately, and that all systems would be up and running again by January 31 – roughly two weeks after the attack took place.

The company also noted that the Sustainability Business division functions as a separate entity, and runs on its own network infrastructure. This would mean that no other divisions of the company could have been impacted.

Schneider Electric was also a victim of Clop’s attack on the MOVEit file transfer software that impacted nearly 3,000 companies last May. Many industry analysts speculate that attacks such as these are a combination of poor credential security and legacy multi-factor authentication strategies.

To get a clearer picture of what may have happened, and to glean some lessons-learned from the attack, I recently sat down with Jess Parnell, the chief information security officer at Centripetal, a leading provider of threat intelligence and cybersecurity services.

Jeff Reinke, editorial director: Do you think the size of this haul stemmed more from the robustness of the attack or a collection of defensive shortcomings?

Jess Parnell, Centripetal: Unfortunately, it’s likely due to the defensive shortcomings. Businesses and organizations worldwide are facing a growing challenge from cyber threats, despite substantial investments in security tools.

There is a pressing need for a fresh approach to cybersecurity—one that leverages knowledge, information, and, most importantly, intelligence. A thorough understanding of cyber attackers is essential for building a strong and efficient defense. The sheer volume of threat intelligence requires a fundamentally new strategy for acquiring, processing and applying it effectively.

JR: It’s being suggested that suppliers and partners of Schneider are putting pressure on the company to pay the ransom. What impact do you think this has had on the situation?

JP: In addition to ransomware, there's a trend of data theft preceding ransomware attacks. It's almost like insurance for attackers, ensuring that victims are more likely to pay. The fundamental issue lies in the lack of trustworthiness of these attackers. Once they've stolen your data, it's difficult to believe they will actually delete it even if you pay the ransom. Unfortunately, the data is already compromised. The bad guys already have your data, and cyberattacks are increasing in frequency and popularity. To illustrate, statistics show that 1 in 10 small businesses experiences a cyberattack each year.

JR: What advice would you give ransomware victims when it comes to the payment dilemma?

JP: Victims should not be compelled to pay. Historical data shows that the outcomes for victims who paid versus those who did not were largely similar. Paying does not prevent future attacks. For instance, consider the incident involving the casinos in Las Vegas: one casino paid, while the other did not, yet the attack occurred within a week of each other.

JR: Schneider was also a victim of last year’s MoveIt attack. Do you think the success of that attack put Schneider on more hacker’s radar?

JP: It’s hard to say, but I do know that after falling victim to the MoveIT attack, it should have been priority number one to re-evaluate their cybersecurity posture. The traditional approach to threat intelligence is no longer sufficient, as evidenced by the frequent attacks on companies today.

Intelligence-powered cybersecurity provides a proactive solution. This approach requires continuous monitoring and analysis to stay ahead of evolving threats, offering tangible value by preventing attacks rather than just understanding them after the fact.

JR: Which do you think is more difficult for an industrial enterprise in the short term – getting hacked, or having to admit you got hacked?

JP: I would say that both scenarios present significant challenges for an industrial enterprise. However, in the short term, having to admit that you got hacked can sometimes be more difficult.

This is because it can damage the organization's reputation, erode customer trust, and lead to regulatory scrutiny. It can also be challenging to manage the immediate fallout of a data breach, including notifying affected parties and implementing remediation measures.

On the other hand, getting hacked can also have serious consequences, including data loss, financial damage and operational disruptions. Therefore, it is essential for industrial enterprises to implement robust intelligence-powered solutions to minimize the impact of known cyber threats and to stay one step ahead of malicious actors seeking to exploit vulnerabilities.

JR: What do you think will be the biggest takeaways from this attack – what can we learn from it?

JP: The biggest takeaways from this attack highlight the critical importance of proactive intelligence-powered cybersecurity measures. These measures can significantly enhance your cybersecurity posture and help in blocking all known threats.

By leveraging proactive intelligence, organizations can stay ahead of cyber threats, identify vulnerabilities before they are exploited, and implement robust defense mechanisms. This attack underscores the need for continuous monitoring of networks and systems to detect and respond to threats promptly. It also emphasizes the importance of implementing multi-layered security measures, including intrusion detection systems, endpoint protection and strong authentication protocols.

Furthermore, the attack highlights the need for organizations to prioritize cybersecurity and invest in the necessary resources to protect their data and assets. This includes training employees on cybersecurity best practices, conducting regular security assessments, and collaborating with industry partners and government agencies to share threat intelligence and best practices.

Overall, the key takeaway is that proactive intelligence-powered cybersecurity is essential for enhancing your cybersecurity posture and protecting against evolving cyber threats. It is crucial to stay vigilant, proactive, and adaptive in the face of an ever-changing cybersecurity landscape.

More in Cybersecurity