Schneider Electric confirms developer platform breach after hacker steals data

Schneider Electric has confirmed that a developer platform was breached after a threat actor claimed to steal 40GB of data from the company’s JIRA server.

“Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms, which is hosted in an isolated environment,” Schneider Electric told BleepingComputer.

“Our Global Incident Response team has been immediately mobilized to respond to the incident. Schneider Electric products and services remain unaffected.”

Schneider Electric is a French multinational company that manufactures energy and automation products ranging from household electrical components found in big box stores to enterprise-level industrial control and building automation products.

Over the weekend, a threat actor known as “Grep” arrived mocked the company the X, indicating that they had breached its systems.

In a conversation with BleepingComputer, Grep said they breached Schneider Electric’s Jira server using exposed credentials. When they first gained access, they claimed to use a MiniOrange REST API to scrape 400,000 rows of user data, which Grep says includes 75,000 unique email addresses and full names of Schneider Electric employees and customers.

In a dark web post, the threat actor jokingly demands $125,000 in “Baguettes” not to leak the data and shares more details about what was stolen.

“This breach has compromised critical data, including projects, issues, and plugins, along with over 400,000 rows of user data, totaling more than 40 GB of compressed data,” reads a post to the Hellcat extortion page.

Grep told BleepingComputer that they recently formed a new hacker group, the International Contract Agency (ICA), named after the Hitman: Codename 47 game. The threat actor says this group has not previously blackmailed the companies they breached.

After learning that the “ICA” name is associated with a “group of Islamic terrorists,” the threat actors say they renamed themselves the Hellcat ransomware gang and are currently testing an encryption to use in extortion attacks.

Grep told BleepingComputer that they are blackmailing Schneider Electric, demanding $125,000 not to leak stolen data, and half of that if an official statement is released.

Earlier this year, Schneider Electric’s “Sustainability Business” division was breached in a Cactus ransomware attack, with the threat actors claiming to have stolen terabytes of data.

Update 11/5/24: The story has been updated to reflect that they switched to the Hellcat name and are blackmailing Schneider Electric.