Schneider Electric Sustainability Business Cactus ransomware (2024)

On 17 January 2024, the French industrial giant Schneider Electric disclosed that its Sustainability Business division — the consulting and software arm that helps large enterprises track and report on emissions and resource use — had been hit by Cactus ransomware. Customers of the division include Hilton, PepsiCo, and Walmart.

What happened

Cactus first appeared in March 2023 and quickly grew into one of the most prolific Ransomware-as-a-Service operations. Its standard playbook: exploit known vulnerabilities in VPN appliances and Qlik Sense business-analytics deployments, supplement with phishing and stolen credentials, then deploy double-extortion ransomware.

The breach was confined to the Sustainability Business division and its Resource Advisor platform; Schneider Electric stated that no safety-critical industrial-control systems were affected. That distinction matters: Schneider is one of the largest manufacturers of industrial automation hardware in the world, and a compromise of the OT side would have been an order of magnitude more serious.

Cactus claimed to have exfiltrated approximately 1.5 TB of corporate data and posted a 25 MB sample to its leak site that included images of U.S. citizens' passports and scans of non-disclosure-agreement documents. Schneider Electric restored business-platform access on 31 January 2024, two weeks after the attack.

Impact

Sustainability Business division Resource Advisor offline for approximately two weeks.
Approximately 1.5 TB of corporate data claimed exfiltrated by Cactus.
Sample data included passport scans and NDAs.
No OT / industrial-control systems publicly affected.
Customers including Hilton, PepsiCo, and Walmart had data implicated.

Why it matters

Cactus's targeting of an ESG-consulting division highlights how consulting-arm data — emissions records, supplier disclosures, signed NDAs — has become a separate, high-value extortion target distinct from the parent's core operations. Schneider Electric's clear segmentation between IT and OT meant the blast radius stayed in IT, which is the minimum outcome any industrial conglomerate should now plan for.

Timeline

January 17, 2024

Cactus ransomware operators detonate inside Schneider Electric's Sustainability Business division, taking the Resource Advisor platform and division-specific systems offline.

January 29, 2024

Cactus posts a sample on its leak site: 25 MB of stolen material including images of U.S. citizens' passports and scans of NDA documents.

January 31, 2024

Schneider Electric restores access to Sustainability Business division business platforms.

February 1, 2024

Cactus claims to have exfiltrated approximately 1.5 TB of corporate data from the division. Schneider Electric confirms data was accessed; no safety-critical or industrial-control systems affected.

Sources

bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/energy-giant-schneider-electric-hit-by-cactus-ransomware-attack/

itpro.comhttps://www.itpro.com/security/ransomware/schneider-electric-confirms-data-was-stolen-in-cactus-ransomware-attack

darkreading.comhttps://www.darkreading.com/ics-ot-security/cactus-ransomware-schneider-electric-sustainability-division

infosecurity-magazine.comhttps://www.infosecurity-magazine.com/news/schneider-electric-data-ransomware/

industrialcyber.cohttps://industrialcyber.co/threat-landscape/schneider-electric-faces-ransomware-attack-in-sustainability-business-cactus-group-involved/

Related incidents

RansomwareContainedAugust 21, 2024

Halliburton RansomHub attack (2024)

RansomHub gained access to Halliburton's systems, prompting the oil-services giant to take infrastructure offline. The incident delayed invoicing and purchase orders, and Halliburton booked a $35 million loss in its SEC filings.

Victim: Halliburton
Loss: $35.0M

RansomwareRansom paidJune 18, 2024

CDK Global BlackSuit ransomware (2024)

BlackSuit operators encrypted CDK Global's dealer-management platform, knocking ~15,000 North American car dealerships offline for nearly two weeks. A second attack hit on day two of recovery. Industry losses estimated at over $1 billion; CDK reportedly paid a $25 million ransom.

Victim: CDK Global
Loss: $1.00B

RansomwareContainedMay 13, 2026

Foxconn Nitrogen ransomware breach (2026)

The Nitrogen ransomware group claimed on its dark-web leak site that it had stolen over 11 million files from Foxconn's North American facilities, including confidential information belonging to customers Apple, Dell, Google, Intel, Nvidia, and Sony. Foxconn said affected factories were resuming normal production.

Victim: Foxconn (Hon Hai Precision Industry)

RansomwareUnknownApril 21, 2026

Engie: a cyberattack claimed by a ransomware group

The hacker group Coinbasecartel claims to have carried out a cyberattack against Engie, the French energy giant active in electricity, gas and

Victim: Engie