Cyber Incident Victim: City of Cerizay

On the weekend of Pentecost, specifically around May 29, 2023, the municipality of Cerizay in the Deux-Sèvres department of France was targeted by a cyberattack. The incident was discovered by municipal employees upon their return to work on Monday, May 29th. The initial detection occurred when agents noticed a complete absence of emails in their mailboxes for the entire weekend period, an occurrence immediately recognized as highly unusual and indicative of a system-level problem. The director general of services, Arnaud Lalève, confirmed the anomalous lack of communication, which served as the primary indicator that prompted further investigation into the municipality's digital infrastructure. The attack directly impacted the town hall's email systems, disrupting a critical channel of both internal and external communication.

The cyberattack affected more than just the email service. The municipality's official website, which was hosted on the SharePoint platform, was also compromised. This website was not merely an informational portal but functioned as a collaborative workspace essential for daily administrative operations and inter-departmental coordination. The compromise of this platform hindered the ability of municipal staff to work together effectively and access shared documents and resources. The specific nature of the attack, whether it was ransomware, data exfiltration, or another form of intrusion, was not publicly detailed by the officials in their initial statements. The timing of the incident during a holiday weekend is a common characteristic of such attacks, as it exploits periods of reduced staffing and monitoring, potentially allowing malicious activity to proceed undetected for a longer duration.

In response to the discovery, the municipal technical services immediately initiated their incident response protocols. The first action taken was to deliberately cut all internet connections serving the town hall's IT infrastructure. This decisive step was a containment measure designed to isolate the affected systems, prevent the potential spread of the attack to other parts of the network, and stop any ongoing exfiltration of data. By disconnecting from the wider internet, the municipality aimed to secure its systems and create a controlled environment for analysis and recovery. Following the disconnection, the relevant authorities were notified of the breach. This included reporting the incident to the Gendarmerie Nationale, France's national police force, which initiated an investigation into the matter. Furthermore, the incident was reported to the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI), the French national cybersecurity agency, as part of the standard procedure for significant cyber incidents affecting public services.

The immediate consequence of the disconnection was a total loss of internet-based services for the entire municipal administration. This outage had a tangible impact on public services. Citizens were unable to access online municipal services or obtain information through the official website. Internally, the disruption to email and the collaborative SharePoint platform significantly hampered administrative workflows and communication among staff. The municipality was forced to revert to alternative, non-digital methods to maintain a basic level of operation. The full scope of the attack, including whether sensitive personal data of citizens or employees was accessed or stolen, was not immediately ascertainable and would be a subject of the ongoing forensic investigation. The primary focus in the immediate aftermath was on containment, evidence preservation for the legal investigation, and assessing the steps required to restore services safely.

The restoration process involved a meticulous effort by the technical teams to clean affected systems, verify their integrity, and gradually bring services back online in a secure manner. The involvement of ANSSI provided access to specialized expertise and resources to assist in the forensic analysis and recovery efforts. The public was kept informed of the situation and the progress of the restoration work through official channels, albeit through means other than the compromised website, such as public statements and notices. The incident at the City of Cerizay exemplifies a growing trend of cyberattacks targeting local governments, which often possess valuable data but may have more limited cybersecurity resources compared to larger national entities. The attack disrupted the normal functioning of the local administration and triggered a coordinated response involving local technical staff, law enforcement, and national cybersecurity authorities.