Schneider Electric reports a cyberattack, the third incident in 18 months

Multinational energy management company Schneider Electric said on Tuesday it had fallen victim to a cyberattack in which attackers claimed responsibility behind a new ransomware variant.

“Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms hosted in an isolated environment,” a spokesperson said in an emailed statement. “Our Global Incident Response team was immediately mobilized to respond to the incident. Schneider Electric’s products and services remain unaffected.”

The company was listed as a victim on the Hellcat ransomware variant leak page. The attackers demanded a ransom of $150,000 in “baguettes,” a blunt reference to the company’s headquarters in France. In reality, the attackers are looking for payment in Monero, a privacy-focused cryptocurrency.

HellCat claims to have more than 40 gigabytes of data from the company's JIRA platform, “including projects, issues and plugins, along with over 400,000 lines of user data.” Jira is a general purpose project management application that may contain confidential or proprietary information about employees or large projects.

The attackers did not provide further details about what type of information was stolen.

“To ensure the deletion of this data and prevent its publication, we require a payment of $125,000 in baguettes. If this request is not met, the compromised information will be shared,” the notice said, adding that specifying the breach would reduce the ransom by half. “It’s your decision, Olivier…”

The news appears to refer to Schneider Electric's new chairman, Olivier Blum, who took over as CEO this week after Peter Herweck was ousted.

HellCat has previously released records purporting to come from Jordan's Ministry of Education and Tanzania's College of Business Education.

The incident marks the third time in the last 18 months that Schneider Electric has been attacked by ransomware groups. In January, the company's sustainability division was hit by the Cactus ransomware. In June 2023, the company announced that it had been targeted by Cl0p via the exploit used in the MoveIT breach.