Login
Get started Get started
Get started Login
Products
Solutions
KNOWLEDGE
HELP CENTER
COMPANY

Open web

DARK WEB

DATASETS

TECHNOLOGIES

Learn

Your hub for web data

BLOG

Featured Article

Top Cyber Trends to Monitor the Dark Web for in 2025

In this webinar we’ll be talking to Liran Sorani, a vetaran in the cyber intelligence industry, to learn about the emerging cyber trends every organization needs to monitor on the dark web before they impact their business.

Back to all Dark Web Pulses
Data Breach Threats

Schneider Electric Ransomware Attack: Key Insights for Cybersecurity Researchers

October 29, 2024    
Schneider Electric Ransomware Attack: Key Insights for Cybersecurity Researchers

This topic was recently the focus of an in-depth webinar hosted by Webz.io. For the complete details, you can watch the recording by clicking here. Below is a summary of the findings presented during the webinar.

Cactus Ransomware is quickly becoming a hot topic in the ICS (industrial control systems) space. The recent Cactus ransomware attack on Schneider Electric underscores the critical vulnerabilities currently present in protection for industrial control systems, especially when it comes to protecting the supply chain. Schneider Electric, a French multinational with $28.5 billion in revenue, was the target of multiple data breaches using Cactus ransomware in 2024. The attacks resulted in the exfiltration of a substantial amount of confidential corporate data, and presented large risk to Schneider Electric.

Because Schneider Electric’s products are widely used across various industries in the ICS space, the breaches are particularly concerning. These systems serve as the foundation for numerous critical operations, ranging from enterprise-level automation to industrial control. Any vulnerabilities in Schneider Electric’s products could pose significant operational and safety risks to Schneider Electric and their customers.

Timeline of the Schneider Electric Ransomware Attack

Webs.io Designing a graphic for a blog post V3 01 2

January 2024

The Cactus ransomware group initiated the first attack against Schneider Electric’s Sustainability Business division. Cactus ransomware stole terabytes of corporate data, impacting key customers, including major brands.

February 19, 2024

The Cactus group, linked to the Hunt3r Kill3rs Telegram channel, publicly disclosed 1.5TB of stolen data on their ransomware site. This data included accounting records, customer contracts, engineering drawings, snapshots of American citizens’ passports, and other forms of employee PII. Once sensitive corporate and personal information is on the dark web, the company is at risk.

July 8, 2024

Hunt3r Kill3rs revealed via their Telegram channel that they had infiltrated multiple Schneider Electric products globally. The infiltrated products were specifically the PowerLogic 7650, 8600, and 8650 models—key components of Schneider’s ICS infrastructure.

August 13, 2024

Cactus ransomware group and Hunt3r Kill3rsclaimed responsibility for another breach. They targeted Schneider Electric’s Italian operations, reporting that Unitronics systems had been compromised. As a result, concerns about the ransomware group’s widespread reach into critical  infrastructure were raised even further.

Investigating the Dark Web to Uncover Ransomware Threats Against Schneider Electric

Uncovering attacker sourcing and dark web activity is a critical part of any investigation, for MSSPs (Managed Security Service Providers) and internal cyber teams. This data is often crucial for cooperating with government authorities, cyber insurance companies, and building post-incident reports for presentation to executives. Using Lunar, our dark web monitoring tool, we dove into the Cactus ransomware gang’s activity and were able to find valuable details including the attack’s origins, progress, and even provide critical data points that could help to stop attackers from removing further information if the breach is still active.

Below is the step by step investigation you should take using your dark web monitoring platform to track down key details of the Cactus Ransomware attack. We highly recommend you follow these steps as the data we found contains critical details regarding the ransomware attack, IOCs (indicators of compromise) that signalled future attacks were coming, and how you set up alerts to leverage that data to ensure you stop the attacks in progress for the next time.

Enhance your threat detection with Lunar

Step 1: Initial Discovery Query on the Dark Web

Begin your investigation by running a broad discovery query to find any mentions of Schneider Electric across the deep and dark web. This should include variations of the company’s name and domain, such as:

  • “Schneider Electric”
  • “schneider-electric.com”
  • (Schneider AND Electric)

Set your timeframe for at least one year to capture all relevant mentions before, during, and after the Cactus ransomware attack.

Screenshot from Lunar showing the initial query and site type filter.
Screenshot from Lunar showing the initial query and site type filter.

Step 2: Narrowing Focus to Ransomware Blogs

Next, filter the results by “site type” and focus on Ransomware Blogs, which leads you directly to discussions and posts related to the Cactus ransomware group. This allows you to analyze posts across various forums, telegram groups, and other discussions connected to the attacks on Schneider Electric.

Step 3: Investigating Pre-Attack Indicators

To understand how the threat actor initially gained access, remove the “site type” filter and examine the peak in activity before the attack. Narrow down your results further by filtering for Threat Intelligence. The number of results should go from over 2,000 to around 500, making it easier for you to focus on intelligence you can make use of immediately.

Step 4: Identifying Key Sources on the Dark Web

Then take a look at your Top Sources Pie Chart so you can see which source is going to be your most active. Russian Market, a known dark web datastore specializing in stolen credentials and stealer logs, emerges as the leading source. This leads you to your next query, a search in the stealer logs repository:

  • pii.domain_employee:schneider-electric.com

This search yielded a critical result. The credentials of an employee of Schneider Electric had been leaked three separate times about a month before the attack. Investigating this specific entry revealed key details like the user’s credentials, malware path, and hardware ID. Critical information for mitigation as well as uncovering a potential entry mechanism which must be included in your report.

Screenshot of Lunar, stealer logs showing PII from Schneider Electric employees.
Screenshot of Lunar, stealer logs showing PII from Schneider Electric employees. 

Moving beyond the historical analysis, the next part of your investigation should focus on understanding the ransomware group’s current activity. Return to your queries library and run the initial discovery query again, but this time focus on Telegram as a source. By filtering the results to focus on Telegram mentions, you uncover a post by the hacktivist group Hunt3r Kill3rs, known associates of the Cactus ransomware gang. Using the “View thread” option, retrieve all related posts from their Telegram channel, identifying further indicators of compromise.
Screenshot from Lunar showing the Hunt3r Kill3rs Telegram thread.
Screenshot from Lunar showing the Hunt3r Kill3rs Telegram thread. 

Step 6: Deep Dive into Threat Actor Conversations

To narrow down the most relevant conversations, search for Schneider Electric within the thread and sort the results by descending date. The second result reveals details about an attack targeting Schneider’s headquarters. Additional posts provided insights into how deep the attackers penetrated into Schneider Electric’s systems. These posts mentioned specific components that were compromised, further mapping the extent of the attack.

Step 7: Setting Up Alerts for Future Threats

Finally, to stay ahead of future threats, create an alert that would notify you whenever Schneider Electric was mentioned again in the Hunt3r Kill3rs Telegram channel. This alert system is crucial for early detection, allowing you to respond more effectively to potential threats before they escalate.

Taking Action to Protect Your Organization

The dark web investigation of Schneider Electric’s ransomware attack underscores the importance of proactive monitoring and swift response. Here’s how you can apply the lessons from this investigation to protect your organization:

1. Uncover: Proactive Monitoring & Alerts

The first step in any effective security strategy is to uncover potential threats before they cause significant damage. As demonstrated, a discovery query can help you find leaked credentials, malicious discussions, or indicators of a potential attack. Set up alerts to notify you when similar threats reappear, allowing you to respond in real-time rather than launching an investigation from scratch.

Action Step: Set alerts for mentions of your company on the dark web. This will give you immediate notifications if your credentials or vulnerabilities are exposed.

2. Identify: Deep Dive Into Threat Actors

The second step is to identify the key threat actors or vulnerabilities by diving deeper into the data. By tracking down the individuals or groups behind malicious activity, such as ransomware gangs, you can gain insights into their tactics, techniques, and procedures (TTPs). Investigate their activity across platforms to determine whether they are serious or pose a genuine threat.

Action Step: When you uncover a potential threat, analyze the actor’s profile. Ask yourself key questions: Is the actor real or fake? Are they connected to other threat groups? What vulnerabilities are they discussing? This will help you understand the severity and scope of the threat.

Enhance your threat detection with Lunar

3. Neutralize: Informing Your Response Team

After gathering this intelligence, the final step is to neutralize the threat. Compile your findings into a comprehensive report that outlines the malware path, the threat actor’s identity, and their group’s activity. This report equips your response team with the information they need to swiftly remove malware, patch any compromised systems, and prevent future breaches.

Action Step: Generate actionable reports with all the critical information. Share these reports with your security team to ensure they can address the threat effectively and prevent further data leakage.

Best Practices for Preventing a Data Breach Like the Schneider Electric Attack

  • Monitor Your Supply Chain
    • Regularly track common vulnerabilities and exposures (CVEs) associated with your supply chain. Cybercriminals often target weak links in your vendor network.
  • Dark Web Intelligence
    • Continuously monitor the dark web for any discussions involving companies related to your supply chain. Threat actors frequently share exploits or trade insider information.
  • Audit Your Active Registry
    • Conduct regular audits of your active registry to check for new or altered admin accounts. Malicious actors often use unauthorized access to elevate privileges.
  • Zero-Trust Security
    • Implement and enforce zero-trust protocols. Ensure that every user and system, whether inside or outside your network, is subject to verification and authorization before gaining access.
  • Offsite Air-Gapped Backups
    • Maintain offsite, air-gapped backups to safeguard critical data. This minimizes downtime and provides leverage while you manage ransomware negotiations or recovery.

This investigation into Schneider Electric’s ransomware attack highlights how critical dark web monitoring is for uncovering early indicators of compromise. By tracking credential leaks, monitoring threat actor chatter, and setting up custom alerts, cybersecurity researchers working for MSSPs can proactively protect their clients from emerging threats.

Learn more about our dark web monitoring tool, Lunar, and how it can enhance your threat detection capabilities.

Brand ProtectionCompromised PIIcyber threat intelligenceDark Web Monitoring
Arielle Erenrich
Arielle Erenrich

Spread the News
Previous Post
Next Post

Not subscribed to our Dark Web Pulse updates?

By submitting you agree to Webz.io's Privacy Policy and further marketing communications.

Read More

Could Panasonic’s Breach Have Been Prevented?
January 24, 2022    

Could Panasonic’s Breach Have Been Prevented?

On November 26, 2021, Panasonic joined a long list of companies that suffered a data breach over the past year. See the posts we found in the dark web that could indicate that an attack was in the making.
Top 5 Ransomware Group Trends in 2021
January 24, 2022    

Top 5 Ransomware Group Trends in 2021

Ransomware gangs ramped up their cyber attacks in 2021. Here are 5 trends related to these groups that you need to know.
The Rise in Use of Alternative Social Media Platforms for Illicit Activities
January 24, 2022    

The Rise in Use of Alternative Social Media Platforms for Illicit Activities

The year of 2021 has seen the rise of alternative social media platforms. Discover the top illicit discussion topics we monitored on these sites.

Feed Your Machines the Data They Need

Feed Your Machines the Data They Need

GET STARTED

Expose Hidden Risks to Your Domain

Uncover dark web threats with Lunar, the next gen dark web intel platform

Keep Reading
Learn more
Subscribe to our newsletter for more news and updates!

Ready to Explore Web Data at Scale?

Speak with a data expert to learn more about Webz.io’s solutions
get started
Create your API account and get instant access to millions of web sources
SEE DEMO