Cyber Incident Victim: Morcenx-la-Nouvelle Municipality
Date:
Apr 2023
Location:
France
Summary
The Morcenx-la-Nouvelle Municipality was hit by a cyberattack that disrupted its IT services, including email systems. As a security measure to prevent the attack's spread, the services of the municipality, the intercommunal social action center, the community of communes, and the waste syndicate were isolated. Physical receptions remained open, and temporary telephone lines were established to maintain contact with the public while agents worked to diagnose the impact and restore services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or shortly before April 17, 2023, the municipality of Morcenx-la-Nouvelle in the Landes department of France was impacted by a significant cyberattack targeting its information technology services. The incident was publicly confirmed by the town hall on Tuesday, April 17th, though the initial compromise is understood to have occurred earlier. The precise timing of the initial intrusion and the specific method of the attacker's initial access were not publicly disclosed at the time of the reporting. The attack was severe enough to cause a major disruption to the municipal services, prompting an immediate and coordinated response from the local government.
In response to the discovery of the incident, the technical team for Morcenx-la-Nouvelle implemented swift containment measures. The primary objective was to isolate infected systems and prevent the malicious software from propagating to other connected networks. As a confirmed security precaution, the municipal services were deliberately severed from the wider intercommunal IT infrastructure. This action resulted in the isolation of the services belonging to the Centre Intercommunal d’Action Sociale (CIAS), the community of communes, and the Syndicat des Déchets de la Haute Lande (SEDHL). This isolation was a deliberate act to contain the threat and avoid any spread of the attack beyond the initial point of compromise, effectively creating a digital quarantine around the affected systems.
The immediate consequence of these containment actions was a widespread service disruption. The town hall's primary email communication system was rendered completely inoperable and was confirmed to be "unavailable until further notice." This loss of a critical communication channel significantly hampered administrative operations. Despite the severe digital disruption, the physical infrastructure of the town hall and its associated services remained unaffected. The municipality took great care to emphasize that all physical reception desks and public accueils remained fully operational and accessible to the citizens, ensuring that in-person services could continue as normally as possible under the circumstances.
To mitigate the communication blackout caused by the email outage, the town hall's administration rapidly established a series of temporary telephone lines. This was done to ensure that the populace could remain in contact with the various municipal departments. A dedicated phone number for the town hall itself, 06 98 12 41 49, was set up and publicized. Additional temporary lines were deployed for other critical services: the Community of Communes and the SEDHL could be reached at 06 69 52 40 92, the CIAS at 06 69 53 01 24, and the local tourist office at 06 76 84 02 26. These temporary lines were explicitly stated to be accessible only during the standard opening hours of the respective offices, providing a lifeline for public inquiries.
A specific and important public service, the passport and national identity card issuance department located within the Morcenx-la-Nouvelle Town Hall, was confirmed to have remained fully functional throughout the incident. This indicated that the impact of the cyberattack was not uniform across all digital systems and that certain critical citizen services were maintained on separate or isolated systems that were not affected by the disruption or were able to operate independently of the compromised network infrastructure.
On Tuesday, April 17th, the diagnostic phase of the incident response was actively underway. A technician, dispatched by the municipality's external IT service provider, was physically present within the town hall's offices to conduct a thorough forensic analysis. The technician's primary task was to diagnose the full impact of the cyberattack and, crucially, to identify the point of entry used by the attackers. The mayor, Paul Carrère, publicly described the malicious code as a "virus" and expressed hope that the damage would be limited. A key concern for the administration was the status of their data backups, which had been performed at the end of the previous week. The integrity of these backups was uncertain, and officials were awaiting the technician's analysis to determine if the backup data had also been compromised by the attack. The full scope and scale of the damage were expected to be understood within the coming hours of that Tuesday.
The municipality's leadership also confirmed that a formal legal complaint was going to be filed with the appropriate authorities in response to the attack. This action signifies that the event was treated as a serious criminal matter. The town hall's staff and agents were noted to be fully mobilized and continuing their efforts to serve the population despite the significant technical challenges presented by the attack. The local government committed to keeping the public informed of any developments and changes in the situation as their investigation and recovery efforts progressed.