Dive Brief:
- The Cactus ransomware group claims it stole 1.5 terabytes of data from Schneider Electric during an attack last month that affected the company’s sustainability business division, researchers who track ransomware groups have confirmed.
- Based on a small sample Cactus released on its data leak site as proof of theft, the stolen data appears to include sensitive documents such as copies of passports and non-disclosure agreements, according to Callie Guenther, senior manager of cyber threat research at Critical Start. The stolen data, Guenther said, may contain personally identifiable information, confidential corporate documents and potentially sensitive operational or financial information related to Schneider Electric’s sustainability initiatives.
- In an incident notification updated earlier this month, Schneider Electric said it has mobilized its global incident response team to respond to the attack, contain the incident and reinforce existing security measures.
Dive Insight:
In the third quarter of 2023, Schneider Electric said its EcoStruxure Resource Advisor platform contributed to the double-digit sales growth in its sustainability business. The digital platform, used by over 2,000 companies globally, provides developers, system integrators and engineers with building applications that include monitoring, visualization and control systems, according to Schneider.
High-profile companies that use Schneider Electric’s sustainability solutions include PepsiCo, Walmart and GSK.
Last month, Schneider Electric said the Jan. 17 ransomware attack directly impacted its EcoStruxure Resource Advisor platform. The company later reported that it restored operations, reopening access to its sustainability business division’s platforms on Jan. 31, and that it is reaching out to customers impacted by the incident.
“While ransomware is certainly impactful and disrupting businesses, the ability of organizations to restore [their operations] has gotten better,” Chris Henderson, senior director of threat operations at cybersecurity firm Huntress, said in an interview.
Many organizations can restore their operations by using backup copies of their data, Henderson said. But, as this method becomes more effective, ransomware operators are increasingly resorting to data exfiltration, which involves stealing data from organizations’ systems, he noted.
“The stolen data is likely a great deal of energy and related telemetry on customers of that business unit…along with files and correspondence associated with it. That’s likely where the passports came from,” John Bambenek, president at Bambenek Consulting, said in an email statement.
A historical data point, Bambenek added, is that Cactus has used VPN vulnerabilities in the past to gain access to victims’ systems and data.
The rush to deploy remote access solutions to accommodate employees who work from home has contributed to a greater percentage of potential targets for ransomware gangs, John Shier, field chief technology officer at Sophos, said in an interview. “A lot of companies are reluctant to reboot the VPN to apply patches, because now their entire workforce is dependent on this infrastructure,” Shier said.
Another contributing factor is the tendency of system operators in many organizations to neglect implementing multifactor authentication, he said.
Compromised credentials and exploiting vulnerabilities account for 72% of the root causes of data breaches, Shier told Facilities Dive, citing an upcoming Sophos X-Ops report that draws on incident response data from roughly 154 large, mid-sized and small companies largely based in North America and Europe.
Cactus is reportedly threatening to leak Schneider data if the company does not pay a ransom. Information indicating whether Schneider Electric intends to pay the ransom is not publicly available.
Companies often refrain from disclosing their negotiation tactics or decisions regarding ransom payments to avoid influencing the actions of future attackers. The decision to pay a ransom involves complex considerations, including the value of the stolen data, the likelihood of data recovery and other legal implications, Critical Start’s Guenther said.
“The default position should be, ‘Don’t pay the ransom,’ as you [are] funding these criminals. But it’s not that simple. It takes nuance and context,” Shier said. He emphasized that understanding the size and scope of a cyberattack is critical to effectively enforcing laws and combating criminals.
Recent initiatives like the U.S. government's Joint Ransomware Task Force, established by the Cybersecurity and Infrastructure Security Agency, indicate a shift toward greater transparency, he said.
“Cybersecurity is a very important concern for facility managers capitalizing on technology to improve efficiency,” Frank Quigley, CEO of R&K Solutions, told Facilities Dive. Sensors and controls used to monitor machinery and meet sustainability goals can expose companies to cyberattacks, resulting in data breaches, according to Quigley, whose firm provides automated solutions for portfolio managers.
Building operators should work closely with their IT counterparts to ensure that the technology provided by suppliers and vendors is secure against such threats, Quigley added.
David Jones, a reporter at Cybersecurity Dive, contributed to this story.