Cyber Incident Victim: Syndicat Mixte Départemental de l’Eau et de l’Assainissement de l’Ariège

On or around Sunday, May 14, 2023, the Syndicat Mixte Départemental de l’Eau et de l’Assainissement de l’Ariège (SMDEA) experienced a cyberattack on its information technology infrastructure. The intrusion was officially confirmed by authorities during a press conference held on Thursday, May 25, 2023, at the organization's headquarters in Saint-Paul-de-Jarrat. The initial discovery of the incident prompted the organization to maintain a high level of discretion regarding the event, withholding public announcement for reasons of confidentiality and security. The attackers successfully deployed a ransomware, or "rançongiciel," which encrypted files and blocked access to the computer systems, effectively halting normal digital operations. Following the attack, the hackers issued a ransom demand to the SMDEA.

In response to the operational disruption, the SMDEA immediately reverted to manual processes, utilizing paper and pen to conduct business that was previously managed entirely online. The organization implemented workarounds to bypass its standard, now-inaccessible, digital procedures. Field agents significantly increased their on-the-ground presence to carry out essential duties, including meter readings and monitoring the quality of the water supply. Despite the severe impact on internal IT systems, no anomalies in the water quality or supply were detected as a result of the attack.

The attack was confirmed to have resulted in a data breach, with the exfiltration of personal data belonging to the organization's users. The precise nature and full scope of the stolen data required further investigation by authorities. While the potential theft of banking coordinates was acknowledged as a possibility, it was not definitively confirmed at the time of the initial press conference. Officials emphasized the need to thoroughly determine the exact character and quantity of the data that had been compromised.

A formal complaint was filed by the SMDEA with the relevant authorities. The response to the incident involved a coordinated effort between multiple national and departmental agencies. The Agence nationale de la sécurité des systèmes d'information (Anssi), the Commission nationale informatique et libertés (Cnil), and the Ariège gendarmerie were all engaged to provide support and assistance in managing the situation and facilitating a return to normal operations. The involvement of these specialized agencies underscored the seriousness with which the attack was treated.

A high-level meeting was convened at the prefecture on Monday, May 15, 2023, the day after the attack was discovered, to assess the situation and define priority actions. This meeting included representatives from the Department, the State, and the gendarmerie services. During the press conference, officials praised the reactivity of the syndicate in its initial response to the incident. The State services committed to remaining at the disposal of the SMDEA until a full return to normal functioning was achieved. The incident was described as an example of an emerging form of criminality targeting critical infrastructure.

The leadership of the SMDEA and the Departmental Council took a firm stance against acquiescing to the attackers' demands. Christine Téqui, the president of the Departmental Council, stated unequivocally that no ransom payment would be made to the hackers. This decision was publicly reiterated and emphasized as a core principle of the organization's response strategy. The authorities promised to provide a subsequent update on the status of the investigation and recovery efforts within the fifteen days following the May 25th press conference. The investigation into the initial attack vector was ongoing, with authorities indicating that the ransomware could have been introduced through a malicious link, a corrupted email attachment, or by navigating to a compromised website, though specific details regarding the breach were not publicly disclosed to preserve the integrity of the investigation. The primary impact of the incident was a severe operational disruption to the SMDEA's administrative and monitoring functions, coupled with the confirmed theft of sensitive user data, the full consequences of which were still being evaluated.