On Sunday, the Cactus ransomware gang claimed to have stolen 1.5 terabytes of data from Schneider Electric in an attack. last month against the manufacturer OT. The ransomware group uploaded 25 megabytes of data as evidence of its attack.
In a response on his websiteSchneider Electric confirmed that “some data” from its Sustainability Business Division was obtained by the malicious actor.
Although the extent of the stolen data was not 100% certain, published reports said the threat actor posted snapshots showing the passports of several US citizens and scans of non-disclosure agreements. The threat actor, who first appeared in March 2023 and focused on double extortion techniques, was also reportedly in ransom negotiations with Schneider Electric.
Given that the French major does business with many global manufacturers, retailers and logistics companies, security researchers are concerned about this latest news.
“Now that Cactus Group has shown its ‘proof of life,’ you can be sure that Schneider’s major customers are putting significant pressure on them to make what will likely be a record ransomware payment to prevent the disclosure of a mountain of sensitive data.”, said John Gunn, CEO of Token. “In this case, cybercriminals hold all the cards, because even Schneider probably doesn’t know for sure what was stolen and which customers it will affect.”
Gunn said this is undoubtedly another example of a massive ransomware loss, similar to the $100 million loss caused by MGM last fall. Gunn added that almost all of these losses are the result of companies relying on 20-year-old legacy MFA technology to stop sophisticated AI-driven generative phishing attacks. “What could go wrong in this scenario?” » » Gunn asked. “Well, here’s your answer again.”
Melvin Lammerts, head of hacking at Hadrian, highlighted that based on the available information, threat actors got their hands on customer and/or employee data, including personal information and passport scans.
“This information is often stored with the contracts and not in a separate, secure vault,” Lammerts explained. “Given the scale of the leak, it is likely that the attackers gained access to a large number of documents.”
Chris Clymer, director and CISO at Inversion6, added that what he finds most interesting about this attack is that Schneider Electric had publicly reported vulnerabilities recently by CISA in various software packages almost every month.
Clymer said some of these vulnerabilities have CVSS scores as high as 9.8, meaning they are easy to exploit and accessible remotely. OT vendors like this typically lag behind traditional IT vendors in terms of providing proper software support and security, Clymer said.
“This mattered less when these systems were isolated, but modern networks often make OT systems accessible, and therefore exploitable… which is precisely why CISA tracks and reports these issues,” Clymer said. “Being a victim of the latest MoveIT attack and the series of serious vulnerabilities is starting to paint a picture. If I were a shareholder, I would ask tough questions about the status of their cybersecurity program, whether SE deems it adequate, and what they are doing to curb these events.
Callie Guenther, senior director of cyberthreat research at Critical Start, added that while there is no information on whether Schneider Electric intends to pay a ransom, companies often refrain from disclosing their tactics. negotiation or their decisions regarding the payment of the ransom, as this could influence the actions. future attackers.
“The decision to pay a ransom involves complex considerations, including the value of the stolen data, the likelihood of data recovery, legal implications, and potential encouragement of future attacks,” Guenther explained.