Stephen Robinson, Senior Threat Intelligence Analyst at WithSecure, comments on the Schneider Electric ransomware attack, says, “The attack on Schneider Electric follows a trend of cyberattacks against the energy sector."
He adds, "The energy sector is a popular target for ransomware due to playing a vital role in society's daily functioning – disruption can have far-reaching consequences. Schneider Electric themselves were victims of Lockbit's MoveIT ransomware campaign in 2023, so it is concerning to see them compromised again so soon."
Leveraging data
Stephen Robinson continues, "Energy companies hold huge amounts of PII which not only has value on the dark web but is excellent leverage for cyber attackers when demanding a ransom."
He said, "In addition to this, it was Schneider Electric's Sustainability Business enterprise consulting arm that was compromised. Its customers include mega-companies such as Hilton, Pepsico, and Walmart, and they likely hold sensitive data belonging to these companies."
Cactus ransomware brand
TTPs follow the standard ransomware playbook, making use of well-known tooling and methods"
Stephen Robinson adds, "Schneider Electric is yet to confirm if the Cactus ransomware brand was responsible for the attack, and they have not as yet been listed on the group's leak site, however, Cactus has become increasingly active in recent months."
He continues, "They are a multipoint extortion group that first appeared in March 2023, and their TTPs follow the standard ransomware playbook, making use of well-known tooling and methods. During multiple of their initial attacks in 2023, Cactus gained access to victim networks via vulnerable VPN gateways, often Fortinet VPN instances."
Risk assessments
Stephen Robinson concludes, "The energy sector and other, similar Critical National Infrastructure (CNI) will continue to be a regular target for cyberattacks, especially with the current, heightened geopolitical tensions. In its Annual Review, the UK NCSC warned about the increasing threat towards CNI."
He further said, "Therefore, energy organizations must invest in regular risk assessments and advanced security measures to minimize their attack surface.”