Ransom hackers are hitting climate data

Tim McDonnell
·4 min read

The News

Hackers are opening a new front in the corporate cybersecurity wars by hijacking the torrent of sensitive climate and energy-related data streaming out of companies.

In January, the consulting firm Schneider Electric was hit by a ransomware attack on its Sustainability Business division, which helps client companies track their emissions, improve their energy efficiency, and source renewable power, among other services. The attack took some of the division’s essential software offline for two weeks, during which an undisclosed volume of client data was compromised. A Schneider spokesperson declined to specify what exactly was stolen (or answer any questions beyond a terse press release), but the main program that was hit manages clients’ energy-use data, including emissions estimates, utility invoices, and facility-level information that is more detailed than what companies typically make public.

Schneider declined to say whether it paid a ransom to retrieve stolen data, but for now the episode appears to be over. The company said it is investigating and plans to take “additional actions” to improve its cybersecurity.

Tim’s view

The attack on Schneider illustrates a new vulnerability for companies already facing pressure from regulators and shareholders to track and curb their emissions. Businesses are compiling more energy and climate data than ever before, which have the potential to reveal sensitive details of their operations and embarrassing facts about their environmental footprint. And they’re often sharing it with a proliferation of third-party accounting and consulting firms: Schneider itself is developing decarbonization plans for at least one-third of the Fortune 500. Climate data needs a security upgrade, or companies’ willingness to tackle their emissions could be curtailed.

The basic strategy of a ransomware attack is to siphon up data and threaten to release it unless a payment is made. Firms like Schneider that have access to other companies’ data are an especially rich target, because of the potential loss of business that could result from a leak, and because the compromised data could hold keys to facilitate follow-up attacks at the other companies, said Nick Biasini, head of outreach at the cybersecurity firm Cisco Talos.

In addition to standard financial and personal data that may have been compromised, energy data is an especially sensitive Achilles’ heel. It can be read as a proxy of a company’s finances, could give away trade secrets, and could make it easier for hackers to identify future targets in the real world. Energy infrastructure is one of the most common targets of hackers, and according to security firm Sophos, the sector most likely to pay a ransom because of how damaging and costly interruptions can be. That point was driven home by the 2021 hacking of the Colonial Pipeline company, which paid a $4.4 million ransom within hours after hackers shut down one of the biggest U.S. oil pipelines. The recent attack was not the first time Schneider was targeted, either: The company was also hit during a wave of ransomware attacks last year that included at least two other large energy companies, Shell and Siemens Energy.

Risks are growing as more energy and climate data is aggregated, Biasini said.

“It might be fine to share emissions data with your accountants or whomever, but just realize that the more people who have eyes on it, there’s an increased likelihood of data leaks,” he said. “And now there’s an added layer because you have criminals whose job it is to actively find and leak this data.”

The risk of climate data hacking is leading some consulting firms to become more vigilant about cybersecurity. A spokesperson for Watershed, an emissions-tracking startup, said it is proactively tracking efforts by hackers to target climate data, and taking steps including “strong access controls, network segmentation, vulnerability scanning, and enforced security policies via mobile device management” to mitigate the risk. Hackers only need to get lucky once to gain a huge amount of leverage, Biasini said, and once a ransomware attack happens, there’s not much a company can do except to pay up.

Room for Disagreement

It’s not clear that Schneider’s climate data, if it was stolen, was deliberately targeted in this case. In some cases, hackers work in a “smash-and-grab” fashion, snatching up whatever they can before they get caught and only combing through it later to decide what will be most painful to extort the victim, Biasini said.

The View From China

The identities of the Schneider hackers are unclear. But groups based in China pose a particular threat to U.S. energy companies, FBI Director Christopher Wray warned Congress last month. In addition to attacks in the last year by Chinese state-backed hacking groups on U.S. electric utilities and oil pipelines, U.S. and Canada-based employees of renewable energy and electric vehicle battery companies have recently been accused of selling trade secrets to China. As trade tensions between the U.S. and China escalate, corporate espionage will likely intensify, said Charles Finfrock, an insider threat consultant formerly employed by Tesla: “Within 12 months from now, you’ll see more insiders coming out of climate companies who will be identified stealing information and bringing it back it China.”