Cyber Incident Victim: Proxiteam group
Date:
Jun 2024
Location:
France
Summary
A cybersecurity incident impacted Proxiteam group subsidiary Axido, involving partial encryption of hosted client production environments via ransomware. The company isolated its systems, engaged an Anssi-recommended independent expert for investigation, and notified authorities while planning legal action. No evidence of sensitive or personal data leakage was initially identified. Restoration efforts are underway but expected to be prolonged due to necessary data integrity checks, infrastructure reconstruction, and security precautions to prevent attacker re-entry. The compromise stemmed from privileged access credentials potentially sold on cybercriminal forums prior to the attack. Axido declined to communicate with the threat actors, prioritizing thorough system recovery over expedited restoration despite operational disruptions for affected clients.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Axido, a subsidiary of the Proxiteam group, experienced a cyberattack first detected on June 12, 2024, when the company was alerted to a potential compromise of privileged access credentials. This followed reports days earlier of similar credentials for a French digital services company—believed to match Axido—being sold on cybercrime forums. By June 14, Axido and Proxiteam's websites became inaccessible, and clients began receiving email notifications citing a security incident that necessitated isolating the entire information system. The company confirmed the attack aimed to limit operational impacts, emphasizing no evidence of sensitive or personal data exfiltration had been found during initial investigations. Axido engaged an independent cybersecurity firm recommended by France's National Agency for the Security of Information Systems (Anssi) to conduct forensic analysis, while also contacting relevant authorities and preparing to file a legal complaint.
Subsequent updates revealed attackers partially encrypted the production environment hosting client business applications, confirming ransomware involvement though not specifying the variant. Axido adhered to Anssi guidelines by refusing to communicate with the threat actors, prioritizing system security over expedited recovery. Restoration efforts relied on pre-encryption data backups, though these required extensive analysis to ensure they contained no residual attacker access points before being redeployed. The company acknowledged full recovery would be protracted due to data transfer bottlenecks, ongoing forensic work, and infrastructure reconstruction—complicated further by hardware sequestration for security purposes. Axido explicitly warned clients, particularly those relying on hosted business software, of extended downtime but committed to thorough remediation despite operational disruptions. No precise timeline for service restoration was provided, with the incident underscoring both the technical complexity of post-attack recovery and the cascading impact on dependent client operations.