Cyber Incident Victim: Montpellier
Date:
Mar 2024
Location:
France
Summary
Numerous schools across France, including over twenty in the Lorraine region, were targeted by bomb threats and violent messages delivered via hacked educational messaging systems (ENT). Threatening communications referenced extremist groups and included decapitation videos, prompting evacuations, police sweeps, and temporary closures of affected institutions. Security forces conducted perimeter controls and building inspections, with some schools resuming classes after clearance while others remained closed for the day. Nationwide, approximately 130 secondary institutions faced similar threats over a week, causing significant disruption and parental concern. Investigations confirmed system breaches, leading to official complaints and the disabling of ENT messaging functions to prevent further spread.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On March 25, 2024, a coordinated wave of bomb threats and terrorist intimidation targeted educational institutions across multiple departments in northeastern France, primarily affecting the Lorraine region. The incident began overnight when attackers compromised the digital workspaces (ENT) of at least 20 secondary schools in Meurthe-et-Moselle, Moselle, Meuse, and Vosges. Threat actors sent identical messages via hijacked communication platforms to students, staff, and parents, warning of imminent bomb attacks and, in some cases, explicitly threatening to "exterminate students" or behead teachers "in the name of the Islamic State." At Colombey-les-Belles, the message promised to detonate explosives at Collège Grüber, while the Cité scolaire Julie-Daubié in Rombas received threats of bombings and educator executions. The attackers exploited system vulnerabilities to disseminate these warnings broadly, with some messages including decapitation videos similar to those used in prior attacks on Île-de-France schools.
Authorities implemented immediate containment measures, evacuating over 1,400 students at Bar-le-Duc's Raymond-Poincaré complex and hundreds more across 18 additional institutions. In Moselle, police established security perimeters at lycées in Metz, Thionville, and Saint-Avold, while gendarmerie units conducted building sweeps in Cattenom and Behren-lès-Forbach. The académie de Nancy-Metz disabled all ENT messaging functions to halt threat propagation but maintained pedagogical services operational. By midday, 15 institutions had resumed classes after security clearance, though Remiremont's Lycée André-Malraux and Saulxures-sur-Moselotte's vocational school remained closed for the day. The cyberattacks caused significant operational disruption, with prolonged evacuations at Fameck's Lycée Saint-Exupéry and Landres' Lycée Jean Morette forcing students to wait outdoors for hours. Parental anxiety escalated as students from Bruyères and Gérardmer contacted families pleading for early retrieval, leading some guardians to declare intentions to keep children home indefinitely. Forensic investigations confirmed unauthorized access to educational accounts, prompting the académie and affected schools to file criminal complaints. By evening, all Vosges institutions except Remiremont had reopened, though security protocols like bag searches at Épinal's Lycée Louis-Lapicque remained active. The incident formed part of a broader national pattern, with 130 schools targeted in Île-de-France, Strasbourg, and Hauts-de-France during the preceding week through identical ENT compromise methods.