Schneider Electric Sustainability Business division suffered a ransomware incident on January 17th, 2024. The attack has impacted Resource Advisor and other division specific systems and accessed company data. All affected individuals have been notified The company’s security team is continuing to take additional actions based on its outcomes, working with relevant authorities.
Security leaders share their thoughts on the recent attack and how other organizations can protect themselves.
John Gallagher, Vice President of Viakoo Labs:
“Whether for IoT, OT or ICS systems it has been a long standing best practice to ensure these systems are on dedicated and isolated networks to prevent lateral movement if vulnerable IoT devices are breached. But this is not that situation; this is a business division and more like a fully separate company. In addition to isolated or segmented networks, effective use of zero trust principles can also be effective in preventing lateral movement within an organization. Using application-based discovery to identify all application, device and port relationships can also be effective in setting up and maintaining an isolated network. Too often a network is properly configured and isolated, but over time both users and configuration drift can impact that segmentation and allow punch-throughs.”
Sarah Jones, Cyber Threat Intelligence Research Analyst at Critical Start:
“The connection of the Schneider Electric attack to the Cactus ransomware group likely arises from two factors: Cactus’ history of targeting corporate networks and potential Qlik software use within Schneider Electric. Since Cactus previously exploited vulnerabilities in Qlik software it further strengthens the Cactus connection. While Schneider Electric maintains confidentiality regarding the specifics of their Sustainability Business division’s isolation, industry best practices suggest a layered approach. This approach likely includes network segmentation to confine the division’s IT infrastructure, minimizing the attack surface. Firewalls and security controls act as gatekeepers, restricting traffic flow and preventing lateral movement or data exfiltration. In more extreme cases, it is possible the division’s network might be air-gapped, offering the strongest isolation but at the potential cost of operational challenges. It is also likely the Schneider maintains dedicated security tools and personnel, enabling scanning for suspicious activity and swift detection and response capabilities. Additionally, access controls ensure only authorized individuals can access the systems, preventing unauthorized modifications. While sensitive data is likely encrypted at rest and in transit, providing an additional layer of protection.”
https://www.securitymagazine.com/articles/100370-security-leaders-share-thoughts-on-schneider-electric-ransomware-attack