Schneider Electric has confirmed that a developer platform has been breached after a threat actor claimed to have stolen 40 GB of data from the company’s JIRA server.

“Schneider Electric is investigating a cybersecurity incident involving unauthorized access to one of our internal project execution tracking platforms, which is hosted in an isolated environment,” Schneider Electric told BleepingComputer.

“Our Global Incident Response team was immediately mobilized to respond to the incident. Schneider Electric products and services remain unaffected.”

Schneider Electric is a French multinational company that produces energy and automation products ranging from household electrical components found in large retail stores to enterprise-level industrial control and building automation products.

Last weekend, a threat actor known as “Grep” taunted the company on X, saying they had compromised its systems.

Speaking to BleepingComputer, Grep said they hacked Schneider Electric’s Jira server using publicly disclosed credentials. Once they gained access, they claimed to use a MiniOrange REST API to collect 400,000 rows of user data, which Grep says includes 75,000 unique email addresses and full names of Schneider Electric employees and customers.

In a post on a dark website, the threat actor jokingly demands $125,000 in “Baguettes” not to leak the data, and shares more details about what was stolen.

“This breach compromised critical data, including projects, issues, and plugins, along with more than 400,000 rows of user data, totaling more than 40 GB of compressed data,” reads a message on the extortion site Hellcat.

Grep told BleepingComputer that they recently formed a new hacking group, International Contract Agency (ICA), named after the game Hitman: Codename 47. The threat actor says that this group has not previously extorted the companies they hacked.

However, after learning that the name ‘ICA’ is associated with a ‘group of Islamic terrorists’, the threat actors say they have rebranded as the Hellcat ransomware gang and are currently testing an encryptor that could be used in extortion attacks.

Grep told BleepingComputer that they are extorting Schneider Electric and demanding $125,000 not to leak the stolen data, and half of that if an official statement is released.

Earlier this year, Schneider Electric’s Sustainability Business division was hit by a Cactus ransomware attack, with the threat actors claiming to have stolen terabytes of data.

Update 11/5/24: Story updated to reflect that they have switched to the Hellcat name and are extorting Schneider Electric.