Unauthorized Access Detected: Schneider Electric examines cyber breach following threat actor's platform infiltration
Schneider Electric, a leading energy management and automation company, is currently investigating a cyber incident that has impacted one of its internal project execution tracking platforms. The Resource Advisor platform, used by over 2,000 customers worldwide to monitor energy and resource data, was affected in the January attack.
The incident has seen several threat groups claiming responsibility, with both Grep and Hellcat making assertions. Grep claimed to have accessed Schneider Electric using compromised credentials, claiming to have 75,000 unique names and email addresses. Hellcat, on the other hand, claimed it obtained 40 gigabytes of data from Schneider Electric and said it was able to gain access to the company's Atlassian Jira environment.
Cactus ransomware also claimed credit for the January attack at Schneider Electric, while the incident at Schneider Electric's sustainability business division was reported. Researchers at Kroll are aware of the group Hellcat but have no additional information on the group or the incident.
Schneider Electric's global incident response team has been mobilized to address the situation. It is important to note that the company's products and services were not affected by the incident. The affected platform is hosted within an isolated environment to minimise potential impact.
This incident marks the third cyber breach in less than two years for Schneider Electric. In 2024, the company acknowledged a data breach in which hackers stole 40GB of data, involving the Lumma Infostealer malware. Researchers also noted that JIRA credentials from Infostealer infections had been used in hacks against companies including Schneider Electric, suggesting indirect impact. In 2025, vulnerabilities in Schneider Electric's EVLink WallBox were reported by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), although no public exploitation of these vulnerabilities has been reported.
These incidents underscore Schneider Electric's exposure to cyber threats, including data breaches and potential vulnerabilities in its equipment. However, the company has not publicly disclosed additional details about direct cyber attacks beyond these incidents.
[1] Source: https://www.zdnet.com/article/schneider-electric-confirms-data-breach-attackers-stole-40gb-of-data/ [2] Source: https://www.zdnet.com/article/researchers-find-jira-credentials-used-in-hacks-against-companies-including-schneider-electric/ [3] Source: https://www.zdnet.com/article/schneider-electric-says-its-products-and-services-were-not-affected-by-the-resource-advisor-platform-cyber-incident/ [4] Source: https://www.zdnet.com/article/us-cybersecurity-agency-warns-of-vulnerabilities-in-schneider-electrics-evlink-wallbox/
- Schneider Electric's global incident response team, activated due to the recent cyber incident impacting the Resource Advisor platform, is investigating threats from multiple groups such as Grep, Hellcat, and Cactus ransomware.
- The incident has resulted in the exposure of potential vulnerabilities, as threat groups like Hellcat, claiming responsibility for the attack, allegedly gained access to Schneider Electric's Atlassian Jira environment.
- Amidst these cybersecurity threats, it is essential to remain vigilant regarding the overall exposure of Schneider Electric to cyber threats, given the company's recent history involving data breaches and potential vulnerabilities in its technology, as highlighted by the Resource Advisor platform incident, EVLink WallBox reported vulnerabilities, and the Lumma Infostealer malware data breach in 2024.
