Schneider Electric reports cyberattack of their dev platform, data breach
Learn More
Schneider Electric, a digital automation and energy management vendor is reporting a breach involving unauthorized access to its internal project execution tracking platform, hosted in an isolated environment. The company reported that its global incident response team is investigating the incident, which allegedly involved ransomware by the recently emerged HellCat group.
On Saturday 2nd of November, the HellCat ransomware gang claimed responsibility for the attack, asserting that they had accessed Schneider Electric’s Atlassian Jira server. The group claims to have exfiltrated approximately 40GB of sensitive project and user data. According to the hackers, the stolen information includes:
- Project data and associated issues
- 400,000 rows of user data, including names and email addresses of approximately 75,000 Schneider Electric employees and customers
- Various Jira plugins
The threat actor, identified as "Grep," disclosed in an interview that they used exposed credentials to infiltrate Schneider Electric's Jira platform. After gaining initial access, they leveraged a MiniOrange REST API to scrape user data and project information from the server. Grep taunted the company on social media, demanding a $125,000 ransom in "Baguettes" (a mocking reference to French culture) to prevent the leak of this information.
The HellCat group set a deadline, threatening to leak the data if Schneider Electric did not acknowledge the breach within 48 hours.
Schneider Electric confirmed the attack, noting that its products and customer-facing services remain unaffected. The company has since mobilized its incident response team to address the security breach and strengthen defenses.
This breach follows another ransomware attack on Schneider Electric in January 2024, when its Sustainability Business division fell victim to the Cactus ransomware group, impacting the Resource Advisory product and division-specific systems.
The breach coincided with Schneider Electric’s announcement of Olivier Blum as the new CEO, following Peter Herweck’s removal due to strategic disagreements. HellCat hinted at the timing by offering the ransom discount as a "welcome gesture" to the new CEO.
Update - as of 29th of December 2024, following the company's refusal to pay the ransom, the Hellcat ransomware group leaked approximately 40 GB of stolen data on the dark web.
As of 1st of April 2025, a hacker with the username HCSupp," posted on a hacking forum what they claim to be the exfiltrated 44 GB of data from the company's systems, humorously requesting payment "in the form of French bread 'Baguette'."
