Cyber Incident Victim: European Telecommunications Standards Institute

On or around August 27, 2023, the European Telecommunications Standards Institute (ETSI), a nonprofit institution based in the Sophia Antipolis technology park on the French Riviera, fell victim to a significant cyberattack. The attack targeted the ETSI portal, which is the IT system dedicated to its members’ work. Following the discovery of the incident, ETSI announced that hackers had successfully stolen a database identifying its users. The institution believes the database containing the list of their online users was exfiltrated by the threat actors. The precise motivation behind the attack remains unclear; it is not yet known whether the hackers were financially motivated or if their intention was to acquire the list of users for espionage purposes. ETSI, which has more than 900 member organizations from over 60 countries, including large and small private companies, research entities, academia, and government and public organizations, did not publicly specify the exact nature of the information contained within the stolen user database.

In response to the security breach, ETSI promptly engaged France’s national cybersecurity agency, ANSSI (Agence nationale de la sécurité des systèmes d'information). The ETSI IT team worked in close collaboration with ANSSI experts to investigate the incident and repair the compromised information systems. The institution stated that the vulnerability which was exploited as the basis for the attack had been identified and fixed, although it did not publicly disclose any technical details regarding this vulnerability. A spokesperson for ETSI declined to clarify whether the exploited vulnerability had been a known issue or a previously unknown zero-day at the time of the attack. Under the guidance of the ANSSI experts, ETSI undertook additional security actions and significantly strengthened its IT security procedures as part of its comprehensive remediation efforts.

As a direct consequence of the incident and as a precautionary measure, ETSI asked all its online service users to change their passwords. This action was taken to mitigate potential risks arising from the theft of the user database, which could have contained authentication credentials. The organization also initiated formal legal and regulatory procedures in accordance with French law and European regulations. A judicial inquiry, which represents the investigation phase of criminal proceedings in France, was launched following the cyberattack. Furthermore, ETSI complied with its mandatory reporting obligations by notifying the French data protection authority, CNIL (Commission nationale de l'informatique et des libertés), of the personal data breach as required by the General Data Protection Regulation (GDPR).

Luis Jorge Romero, the Director-General of ETSI, described the cyberattack as a “crisis” for the institution. In public statements, he emphasized ETSI's core value of transparency, which extends to its governance and technical work. He drew a parallel between the response to this cyber incident and the organization's previous adaptation to the Covid-19 crisis, noting that ETSI had proven itself quick to react and adapt to challenges in order to ensure business continuity for both its staff and its members. Romero expressed particular gratitude for the knowledge and advice provided by the experts from ANSSI, who were instrumental in helping ETSI determine the necessary remedial actions and in strengthening the overall security of its systems. Despite the severity of the attack, ETSI managed to ensure that its members were able to keep working without disturbance during the response period.

The incident at ETSI highlights the heightened sensitivities surrounding international telecommunications standards bodies. These organizations develop the technical standards that underpin global communications, and as such, they encode social values and have a material impact on the ways society functions. The work of institutes like ETSI is often fraught with international geopolitical tensions, as control and influence over telecommunications standards can confer significant strategic advantages. This context adds a layer of complexity to cyber incidents targeting such entities, as the theft of a user database could potentially facilitate espionage activities by revealing the membership and contacts of a key standards-setting organization. The event occurred against a backdrop of increased international focus on bodies like the International Telecommunications Union, where elections have recently been vigorously contested.