Schneider Electric Hacked and Blackmailed Following Lumma Infostealer Infection

Free Infostealer Intelligence Tools by Hudson Rock – www.hudsonrock.com/free-tools

On November 4th, Schneider Electric acknowledged a data breach in which hackers stole 40GB of data from the company’s Jira server.

“Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms which is hosted within an isolated environment,” Schneider Electric told BleepingComputer.

The company was apparently targeted by a new ransomware group named “HellCat,” which consists of several prominent hackers, including “grep,” who previously hacked Dell and Capgemini.

The group demands $125,000 to delete the data and prevent its public release.

The Infostealer Connection

Hudson Rock researchers identified a Schneider Electric employee infected by Lumma Infostealer on October 13, 2024. The employee, who appears to be based in India, was likely infected while attempting to download a cracked version of Adobe Premiere from a YouTube video.

Browsing history data from the infected employee’s computer shows how they were lured into downloading the infostealer.
The Youtube video from which the victim downloaded the infostealer

In a conversation with BleepingComputer, Grep said they breached Schneider Electric’s Jira server using exposed credentials. Once they gained access, they claimed to use a MiniOrange REST API to scrape 400k rows of user data, which Grep says includes 75,000 unique email addresses and full names for Schneider Electric employees and customers.

When investigating these claims, researchers found a direct match between Grep’s assertions and credentials on the compromised computer, Hudson Rock had these credentials ahead of the breach and it was highly preventable –

Grep’s claims of a MiniOrange REST API being used to hack the company is aligned with the credentials found on the infected computer

Additionally, the employee’s computer held other sensitive Jira-related credentials belonging to the organization, with usernames like “cloud_migration” and “jira_migration” and an associated password which is too embarrassing to share (believe us).

Screenshot of additional credentials relating to Schneider Electric found on the computer

Speaking to the threat actor they provided researchers with confirmation

Schneider Electric has hundreds of employees who were infected by Infostealers over the years, many of them with sensitive credentials and accesses, along with bad passwords, and lack of anti-viruses installed, demonstrating a poor cyber hygiene at the company.

Infostealer infections overview for Schneider Electric from Hudson Rock’s platform showing hundreds of compromised employees
Passwords strength statistic from the various Infostealer infections of employees at Schneider Electric
Most common URLs with corresponding corporate credentials of infected employees
Anti-virus presence identified on infected Schneider Electric employee computers

Collaborative tools such as JIRA, Confluence, and others pose significant risks for organizations today, as they are heavily targeted by hackers due to the wealth of information stored within them. We highlighted this in a previous research report titled ‘How Hackers Really Used Infostealers for the Biggest Recent Cyber Breaches.’

Conclusion

Infostealers are a real and growing threat, enabling hackers to execute significant breaches across major organizations. By exploiting weak points like webmail and VPNs, they gain access to sensitive data and systems, as seen in recent attacks on companies like Snowflake and EA Sports.

To combat this, organizations must strengthen their cybersecurity measures, such as implementing multi-factor authentication and educating employees about safe practices. Utilizing Hudson Rock’s threat intelligence can provide invaluable insights into compromised credentials and real-time notifications, helping companies proactively address vulnerabilities before they lead to breaches.

To learn more about how Hudson Rock protects companies from imminent intrusions caused by info-stealer infections of employees, partners, and users, as well as how we enrich existing cybersecurity solutions with our cybercrime intelligence API, please schedule a call with us, here: https://www.hudsonrock.com/schedule-demo

We also provide access to various free cybercrime intelligence tools that you can find here: www.hudsonrock.com/free-tools

Thanks for reading, Rock Hudson Rock!

Follow us on LinkedIn: https://www.linkedin.com/company/hudson-rock

Follow us on Twitter: https://www.twitter.com/RockHudsonRock

Don’t Stop Here

More To Explore

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise

favicon__1_ removebg-png

BE THE FIRST TO KNOW

Stay informed with the latest insights in our Infostealers weekly report.

Receive immediate notification if your email is involved in an infostealer infection.

No Spam, We Promise