Cyber Incident Victim: MRC du Domaine-du-Roy

On or around April 25, 2023, the Municipalité régionale de comté (MRC) Le Domaine-du-Roy and its nine constituent municipalities became the victim of a cyberattack. The incident was publicly disclosed on that date, though the initial intrusion may have occurred earlier. The attack was discovered on Tuesday, April 25th, when a dormant software program, often indicative of a malware payload, was identified within servers that were not owned by the MRC directly but were instead hosted by an external subcontractor. The discovery of this dormant software triggered the immediate initiation of a defensive response.

Upon detection of the threat, the primary containment action taken was to deliberately sever internet links to the compromised servers as a preventive measure. This decisive action was intended to isolate the threat and prevent any potential lateral movement or data exfiltration. The immediate consequence of this disconnection was a widespread disruption to the MRC's online services. All services provided to citizens through the MRC's online portals became unavailable. This included critical services such as access to municipal assessment tools and online permit application systems. The official investigation into the full scope and nature of the incident commenced concurrently with these containment efforts.

The impact of the attack was multifaceted, primarily affecting service delivery while leaving core operational infrastructure intact. Préfet Yanick Baillargeon confirmed that emergency lines and standard telephone services continued to function normally, ensuring that residents could still access urgent assistance. Essential municipal services were also maintained, preventing a complete operational shutdown. However, the disconnection of the internet links resulted in a significant slowdown of citizen-facing services. The public websites for most of the nine individual municipalities remained accessible to the public because they were hosted on external networks separate from the attacked MRC infrastructure. Despite the websites being online, any hyperlinks or portals on those sites that pointed back to services hosted on the compromised MRC servers were rendered non-functional.

The duration of the service disruption was uncertain at the time of public reporting. Officials stated the non-functional links and services were expected to be down for at least a few hours, but a definitive timeline for full restoration was not provided, indicating the investigation and remediation process was in its early stages. A key point of public reassurance from the MRC's leadership was that, based on the initial assessment, there was no indication that any data had been lost or that specific information had been stolen during the attack. This suggests the primary impact was operational disruption through service downtime rather than a confirmed data breach.

The incident involving MRC Le Domaine-du-Roy was contextualized by the Union des municipalités du Québec (UMQ) as part of a growing trend of increasingly frequent cyberattacks targeting municipalities and regional county governments across Quebec. Patrick Lemieux, a spokesperson for the UMQ, stated that no municipality or MRC is immune to such an attack, regardless of its size. The UMQ pointed to broader global and technological factors contributing to this heightened risk environment. These factors included the proliferation of digital media and web tools, international events such as the war in Ukraine, and the increased adoption of remote work practices during the COVID-19 pandemic, all of which were cited as having accentuated cybersecurity challenges for all organizations, including municipal bodies. In response to this perceived increase in risk, the UMQ advised its member and non-member municipalities to enroll in its specialized insurance risk pool, which already included approximately one hundred organizations at the time of the incident.