Cyber Incident Victim: Groupe Charles André
Date:
Feb 2024
Location:
France
Summary
The French logistics company GCA experienced a cyberattack prompting precautionary internet disconnections and activation of crisis protocols with external specialists and national authorities. Communication systems including email, phone lines, and API/EDI connections remain non-functional, though no data breach has been confirmed yet. This incident mirrors a prior ransomware attack involving Doppelpaymer approximately three years earlier. Security researchers identified exposed vulnerabilities in the company's Citrix Gateway (CVE-2023-3519) and MobileIron systems (CVE-2023-35081, CVE-2023-35078) days before the attack, though these systems were later disconnected. The logistics sector continues facing significant cyber threats, with multiple French counterparts targeted recently.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the night of February 17-18, 2024, French logistics firm Groupe Charles André (GCA) experienced a cyberattack, prompting immediate containment measures. The company notified clients via written communication that it proactively severed external internet access to its systems to conduct a comprehensive diagnostic and ensure a secure restart. A crisis management unit was activated with relevant personnel, and competent authorities were informed while legal reporting and complaint procedures commenced. Critical operational systems became non-functional, including standard email addresses, landline phones, EDI connections, and API interfaces, disrupting communication channels such as reception phone lines. GCA stated it had no current evidence suggesting data exfiltration occurred but did not disclose whether system encryption was observed. External cybersecurity specialists collaborated with GCA’s internal teams under coordination with France’s National Cybersecurity Agency (ANSSI) to investigate the incident, prioritizing restoration of appropriate security safeguards. The company’s communication department confirmed the attack’s occurrence but declined to specify if ransomware was involved or identify potential threat actors, leaving unresolved questions about data compromise risks.
Technical analysis from attack surface management platform Onyphe revealed GCA operated a Citrix Gateway instance vulnerable to CVE-2023-3519 as recently as February 14, 2024; this critical flaw had been publicly disclosed in July 2023. Additionally, Onyphe identified an exposed MobileIron instance running versions susceptible to actively exploited vulnerabilities CVE-2023-35081 and CVE-2023-35078 days before the attack. Both systems were disconnected from the internet following the incident. This marks GCA’s second major cyber incident in three years, following a March 2021 attack involving Doppelpaymer ransomware, which was claimed by threat actors in early March of that year. The logistics sector remains a frequent target, with multiple French transport companies, including subsidiaries of Guyamier group, reporting cyberattacks in late November 2023 and at least four other logistics specialists impacted throughout 2023. GCA’s ongoing forensic review focuses on determining attack vectors, intrusion scope, and potential data exposure while maintaining operational isolation of compromised infrastructure.