You have 0 free articles left this month.
Register for a free account to access unlimited free content.
Powered by MOMENTUM MEDIA
lawyers weekly logo

Powered by MOMENTUMMEDIA

Breaking news and updates daily. Subscribe to our Newsletter
Advertisement

Exclusive: Alleged Schneider Electric data posted following November ransomware incident

A threat actor allegedly representing the Hellcat ransomware group has posted data they say was exfiltrated from global energy company Schneider Electric.

Exclusive: Alleged Schneider Electric data posted following November ransomware incident
expand image

In a post to a popular hacking forum, a user called HCSupp said they were sharing data belonging to Schneider Electric after the company refused to pay the ransom.

“In November 2024, Schneider Electric suffered a data breach after a #HellCat ransomware attack. The attackers exfiltrated 44 GB of data and demanded $125,000 in the form of French bread ‘Baguette’,” wrote HCSupp.

“However, Schneider Electric refused to pay, calling the demand ‘disrespectful’. Today, I am releasing the Users dataset extracted from their internal systems, which was part of the 44 GB of data.”

According to the listing, in which the alleged named data above was listed for free, the new release contains the first names, email addresses, group names, application data and gravatar avatars of users.

Cyber Daily’s investigation of the data has been unable to determine if all of the data is legitimate, but it has determined that the database contains the real names and emails of several Schneider Electric staff.

While the threat actor’s name suggests an affiliation with the Hellcat ransomware gang, which claimed the incident back in November, Hellcat itself has remained quiet on its dark web leak site.

Cyber Daily observed that Schneider Electric was no longer visible on the site at the time of writing.

The Schneider Electric incident, which was the second one it suffered in 2024, first came to light on 4 November 2024 when a threat actor by the name of “greppy” posted to X to taunt the French multinational.

“Hey @SchneiderElec how was your week?” the threat actor said.

“Did someone accidentally steal your data and you noticed, shut down the services and restarted without finding them? Now you shut down again but the criminals seem to have taken more juicy data.”

In a reply to their own tweet, the threat actor also posted a sample of the stolen data, which appeared to be email addresses, links to JIRA accounts and links to Gravatar accounts. Gravatar is a platform that allows users to create a digital avatar to accompany their email address.

Schneider Electric, at the time, appeared on the Hellcat ransomware dark web leak site, with the group claiming responsibility for the incident.

“We have successfully breached Schneider Electric’s infrastructure, accessing their Atlassian Jira system,” the group said.

“This breach has compromised critical data, including projects, issues, and plugins, along with over 400,000 rows of user data, totaling more than 40GB compressed data.

“To secure the deletion of this data and prevent its public release, we require a payment of $125,000 USD in Baguettes. Failure to meet this demand will result in the dissemination of the compromised information.

“Stating this breach will decrease the ransom by 50%, its your choice Olivier ... ,” the threat group added, naming Schneider Electric’s new CEO Olivier Blum, who was appointed earlier that week.

Schneider Electric, at the time, said it was aware of the incident and was actively investigating the alleged breach. It has not commented on the latest activity.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.
You need to be a member to post comments. Become a member for free today!

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.