Cyber Incident Victim: Groupe Vitrey

The Groupe Vitrey, a construction group headquartered in Villiers-sur-Suize with nearly fifty years of operations in the Haute-Marne region, was the victim of a large-scale cyberattack. The incident occurred in mid-May, with the filed complaint covering the period from Friday, May 12th, to Tuesday, May 16th, 2023. The attack completely paralyzed the entire information technology system of the company. All fifteen of the BTP group's subsidiaries were impacted by this widespread disruption to their digital infrastructure.

The cyberattack technique that was identified was that of ransomware. Despite this identification, the Groupe Vitrey confirmed that no ransom was paid by the company to the attackers. The financial damage resulting from the incident was described as very significant and colossal according to sources close to the case. This substantial financial prejudice potentially included costs induced by the complete blockage of the company's computer systems, though the exact composition of the calculated amount was not fully detailed.

In response to the criminal incident, the Groupe Vitrey filed an official legal complaint. The Prosecutor of the Republic at the Judicial Court of Chaumont subsequently disqualified themselves from the case in favor of the Paris prosecutor's office. This transfer of jurisdiction placed the investigation under the purview of section 3J within the Paris prosecutor's office, a section which includes the treatment of cybercrime cases. The investigation itself is being led by the Center for the Fight against Digital Crime, known as the C3N. This unit is a national jurisdiction judicial police unit attached to the National Gendarmerie's Judicial Pole, indicating the serious and complex nature of the case being investigated.

The scope of the judicial investigation is twofold. The primary objective is to identify the individual or group responsible for orchestrating and executing the cyberattack against Groupe Vitrey. A concurrent and equally critical line of inquiry for the authorities is to establish the level of computer security that was in place at the company prior to the incident. This part of the investigation will seek to determine if there was any potential inaction or possible negligence that may have contributed to the success of the attack or the severity of its impacts. The company's leadership, when contacted for comment following the attack, declined to speak publicly on the matter, choosing not to provide any official statement or further details.

Coinciding with the heightened awareness following the attack on a major local employer, state services in the Haute-Marne region moved to address the subject of cybercrime. A departmental conference featuring experts was scheduled for Monday, June 26th in Nogent. The event was intended for elected officials, business leaders, and public institution managers who had themselves been victims of such attacks. The conference aimed to help attendees understand the potential fragility of their own computer systems, to better measure the associated risks, and to emphasize proven protection guidelines. A key message to all actors, including communes, hospitals, and businesses, was a reminder that establishments victimized by these cyberattacks must file a formal complaint to initiate law enforcement involvement.