'Cactus' Ransomware Strikes Schneider Electric

10 months ago 44
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

A cactus in the desert

Source: Nate Hovee via Shutterstock

Schneider Electric has fallen victim to a cyberattack affecting its Sustainability Business division, and reports thus far have attributed it to a rising ransomware operation called "Cactus."

Schneider Electric is a world leader in industrial manufacturing, be it equipment for industrial automation and control systems, building automation, energy storage, and more. According to a press release from the industrial giant, the damage from its Jan. 17 breach was limited to only its sustainability division, which provides software and consulting services to enterprises, and affected no safety-critical systems.

Still, the company faces potential repercussions if its clients' business data gets leaked. According to Bleeping Computer, the Cactus ransomware gang — a relatively young yet prolific group — has claimed the attack. (When Dark Reading reached out to Schneider Electric for corroboration, the company did not confirm nor deny this attribution.)

What Happened to Schneider Electric

Schneider Electric has not yet revealed the scope of data which may have been lost to its attackers, but did acknowledge one affected platform: Resource Advisor, which helps organizations track and manage their ESG, energy, and sustainability-related data. 

The attack was entirely limited to platforms and operations associated with its Sustainability division because, the company explained, it is "an autonomous entity operating its isolated network infrastructure."

The company also noted that it has already informed affected customers, and it expects business operations to return to normal by Jan. 31.

But that may not be the end of the story, since Schneider Sustainability serves a broad swath of organizations in more than 100 countries, including 30% of the Fortune 500, as of 2021. Having so many potentially impacted customers may bear on how the company addresses a ransom demand.

What You Need to Know About Cactus Ransomware

Cactus isn't even a year old yet, having first arrived on the ransomware scene last March. Already, though, it is one of the planet's most prolific threat actors.

According to data from NCC Group, shared with Dark Reading via email, Cactus has been claiming double-digit victims nearly every month since last July. Its busiest stretches thus far have been September when it took 33 scalps, and in December, 29 scalps, making it the second busiest group during that period, behind only LockBit. Its 100 or so victims have thus far spanned 16 industries, most commonly the automotive sector, construction and engineering, and software and IT.

But it isn't for any discernible technical reason that it has achieved so much so fast, says Vlad Pasca, senior malware and threat analyst for SecurityScorecard, who wrote a whitepaper about the group last fall. In general, Cactus just relies on known vulnerabilities and off-the-shelf software.

"Initial access is achieved using Fortinet VPN vulnerabilities, and then they use tools like SoftPerfect Network Scanner and PowerShell to enumerate the hosts in the network, and perform some lateral movement," Pasca says. Perhaps, he suggests, Cactus' banality is the lesson to take away from Schneider Electric's story — that "even if you have a big budget for cybersecurity, you might still be impacted because of such basic vulnerabilities."

Read Entire Article