Cyber Incident Victim: Lacroix Group
Date:
May 2023
Location:
France
Summary
LACROIX intercepted a targeted cyber attack against its Electronics activity sites in France, Germany, and Tunisia. The attack resulted in the encryption of some local infrastructures, and an analysis is underway to determine if any data was exfiltrated. The three affected sites were temporarily closed for a week to allow for system restarts from backups and security investigations. These sites represented a significant portion of the group's total sales.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
During the night of Friday, May 12, 2023, to Saturday, May 13, 2023, LACROIX intercepted a targeted cyber attack directed at its Electronics activity sites located in Beaupréau, France; Willich, Germany; and Zriba, Tunisia. The company's immediate response was to implement measures to secure all other sites within the Group, indicating a proactive containment effort to prevent the potential lateral spread of the incident to its wider network. The attack was significant enough to necessitate a complete shutdown of the three targeted facilities. Investigations were launched prior to any attempts to restart the operational systems at these sites to confirm that the cyber attack had been fully contained and to understand the full scope of the compromise.
The forensic analysis revealed that local IT infrastructures at the affected sites had been encrypted, a clear indicator of a ransomware-based attack. This encryption of systems would have rendered them inoperable, directly causing the cessation of production activities. Concurrently, an investigation was initiated to determine whether any data had been exfiltrated from the company's networks prior to or during the encryption process. The need to conduct these thorough investigations, coupled with the requirement to utilize backup systems for restoration, led LACROIX to estimate a process lasting several days. Consequently, the decision was made to keep the three sites closed for the entire week following the attack.
LACROIX announced its target to reopen the shuttered facilities on Monday, May 22, acknowledging that it was still too early to know the exact timeline for a full resumption of production activities. To manage the operational standstill, the company enacted partial activity measures and formulated a detailed management and restart plan, which was tailored to the specific circumstances of each individual site. This plan involved the methodical use of backups to restore systems and data, a process that underscores the company's reliance on its own disaster recovery capabilities to return to normal operations without capitulating to any potential ransom demands.
Communication with external stakeholders was a key component of the incident response. Louis Pourdieu, the General Manager of the Electronics EMEA activity, took direct responsibility, along with his teams, for informing the site's customers and suppliers about the unforeseen closure and for providing them with updates regarding the conditions and progress of the restart operations. This outreach was crucial for managing supply chain relationships and mitigating secondary business impacts caused by the production halt.
The financial significance of the three attacked sites was substantial, collectively representing 19% of the LACROIX group's total sales for the 2022 fiscal year, which amounted to €708 million. This highlighted the serious operational and revenue implications of the incident. However, the company's initial assessment pointed to a potentially limited immediate financial impact due to a favorable production calendar. The attack occurred during a week where the French and German sites had only three days of effective production scheduled. Because of this circumstantial timing, LACROIX stated that it did not envisage, at that preliminary stage, any significant impact on the overall performance figures it had previously announced for the Group for the entirety of 2023.
The incident impacted LACROIX's operations in a core business segment. The Electronics activity designs and manufactures electronic equipment for several critical industries, including automotive, home automation, aerospace, industrial, and health sectors. Furthermore, the Group provides connected equipment for the management of critical infrastructures such as smart roads—encompassing street lighting, traffic signs, traffic management, and V2X technology—as well as systems for managing water and energy operations. The attack on the sites responsible for these technologies underscores the vulnerability of industrial and critical infrastructure supply chains to cyber threats. The containment measures and the week-long closure of key manufacturing facilities demonstrate the severe disruptive potential of such cybersecurity events on industrial operations. The response illustrates a standard incident management approach focused on containment, evidence gathering, system restoration from backups, and stakeholder communication, all conducted without external assistance mentioned in the immediate public disclosure.