Schneider Electric resumes eco-friendly operations post cyber assault
In January 2024, Schneider Electric, a global leader in energy management and automation, suffered a ransomware attack on its EcoStruxure Resources Advisor platform, part of its Sustainability Business Division. The attack was claimed by the Cactus Ransomware group, which threatened to release stolen data if their demands were not met[1][2].
The attackers claimed to have exfiltrated 1.5 terabytes of highly sensitive sustainability and compliance data, potentially exposing detailed information related to environmental, energy regulatory compliance, and industrial automation systems of Schneider Electric's clients, which include major global companies like PepsiCo, Walmart, DHL, and others[2].
The incident has caused substantial data theft and operational risks, as well as reputational harm. Cactus published 25MB of the stolen data to demonstrate the seriousness of their threat, putting pressure on Schneider Electric and its customers to consider paying a ransom[1][2].
Beyond ransom payment, the breach risks damaging Schneider Electric’s reputation, diminishing customer trust, and attracting regulatory scrutiny due to the sensitive nature of ESG (Environmental, Social, and Governance) data involved[2]. This incident represents Schneider Electric’s third ransomware attack in approximately 18 months, indicating persistent targeting of their critical infrastructure and business units by ransomware actors[2][4].
Manufacturing and industrial sectors, such as Schneider Electric’s core business, remain top targets for cybercriminals due to their critical role and reliance on connected operational technology[2].
Schneider Electric has not yet disclosed the number of customers impacted by the attack, but the investigation is ongoing to determine the full extent of the data exfiltration and the type of data accessed during the attack[1]. The company has confirmed that attackers exfiltrated data during the ransomware attack.
Cactus Ransomware, which emerged last March, has become very active in recent months. The group often uses VPN for initial access, according to Laurie Iacono, associate managing director, cyber risk at Kroll, who observed increased activity by Cactus Ransomware in Q4[1].
Schneider Electric disclosed the ransomware attack in a blog post on January 29 and warned about a pause in operations. The company restored operations at its sustainability business division on January 31[1]. Schneider Electric has committed to bolstering cybersecurity defenses, adopting proactive strategies including multi-factor authentication, regular backups, and system hardening to mitigate future attacks[3].
As of August 2025, it is still unclear whether Schneider Electric paid any ransom or if the attackers encrypted the data beyond stealing it[1]. The company continues to face pressure to address the growing threat ransomware poses to ESG data and manufacturing sectors globally[1][2][4].
Schneider Electric will reach out directly to affected customers regarding the data exfiltration. The investigation into the full extent of the January attack is still ongoing at Schneider Electric.
References:
- Schneider Electric Blog Post
- BleepingComputer Article
- Schneider Electric Security Best Practices
- Cybersecurity Dive Article
- The cybersecurity threats against Schneider Electric, such as the recent ransomware attack on their EcoStruxure Resources Advisor platform, highlight the importance of robust cybersecurity measures, particularly in technology-reliant sectors like manufacturing and industrial automation.
- Schneider Electric's persistent ransomware attacks, with three incidents in the past 18 months, underscore the need for proactive cybersecurity strategies, including multi-factor authentication, regular backups, and system hardening, to protect sensitive data like ESG information from cyber risks and ransomware groups like Cactus.
