Cyber Incident Victim: Group DIS

On or around May 12, 2023, a significant cyberattack targeted Group DIS, a Lille-based provider of hosting and IT management services. The incident was discovered on the morning of Saturday, May 13, when numerous websites hosted on the Group DIS infrastructure became unavailable, displaying connection errors, blank pages, or database connection failures. The company confirmed the event on the authentication page of one of its online services, stating, "Hello, we are currently experiencing a large-scale attack. We have taken the initiative to cut off external access to all of our infrastructures. Currently, your services are not accessible. We are doing our utmost to restore the situation as quickly as possible." This action to disconnect external access was a primary containment measure taken in immediate response to the attack.

The impacts of the infrastructure shutdown were widespread, affecting a large number of Group DIS's clients. The French news website Actu.fr reported on May 13 that access to its site had been disrupted due to a server failure at its hosting company. By the morning of Monday, May 15, the department of Côtes-d'Armor announced via Twitter that a technical incident was rendering access to several of its websites unavailable, confirming these services were also hosted by Group DIS. The client base was described as numerous, including media outlets, e-commerce sites, and digital service providers who relied on the infogérer's infrastructure.

On May 15, the ransomware group Alphv, also known as BlackCat, publicly claimed responsibility for the attack on their leak site. Their claim stated they had stolen 4 terabytes of data from Group DIS. This exfiltrated data was broken down into 3 terabytes of "critical customer data (sql, file servers, critical VMs)" and 1 terabyte of data belonging specifically to Lacroix Electronics, a client of Group DIS. The attackers accused Group DIS of having "refused to pay for the security and data of its client" and, as a consequence, stated they were divulging the data. An index file exceeding one hundred megabytes accompanied the data leak.

The involvement of Lacroix Electronics, a manufacturer of electronic equipment, became public on May 15 when the company issued a statement to its investors. Lacroix described an event it termed a "contained cyberattack," stating, "Lacroix announces that it intercepted during the night of Friday, May 12 to Saturday, May 13 a targeted cyberattack on the French (Beaupréau), German (Willich), and Tunisian (Zriba) sites of the Electronics activity. Measures to secure all other sites of the Group were immediately taken." This statement indicated the company had detected and responded to the incident on its own infrastructure concurrently with the problems at its service provider.

The precise chronology and initial point of compromise remained unclear in the immediate aftermath. As of May 16, according to a source close to the investigations, it was not established whether the attackers had first targeted Group DIS, making Lacroix Electronics a collateral victim, or if the reverse was true, with the attack on Lacroix subsequently affecting its IT service provider and its other clients. The Alphv group's claims suggested the data pertaining to Lacroix was exfiltrated around April 27, 2023, based on the creation dates of the folders they published, which would predate the widespread service disruption on May 13.

The technical nature of the attack involved the Alphv/BlackCat ransomware, a malware first identified in December 2021. This ransomware is notable for being developed in the Rust programming language, which makes it highly customizable. It is capable of affecting Windows systems, Linux systems, and virtualized environments such as VMware ESXi. This same ransomware had been used in an attack against the company Akka Technologies in May 2022. The attack on Group DIS represents another instance in a pattern of cyberattacks targeting managed service providers. Earlier in the year, on March 18, 2023, Bouygues Telecom Entreprises had experienced an attack on its OnCloud service infrastructure, affecting several dozen clients. The French National Agency for the Security of Information Systems (ANSSI) had previously reported handling 18 compromises affecting digital service companies in 2021.

The consequences of the attack were operational disruption and data breach. The primary impact was the extended outage of critical hosting services for a wide array of clients, from local government services to regional press. The secondary impact was the confirmed exfiltration of a large quantity of sensitive data, including critical SQL databases, file servers, and virtual machines belonging to Group DIS's customers, with Lacroix Electronics being specifically named and having a significant volume of its data allegedly stolen and published. The response actions included Group DIS's initial containment measure of disconnecting its entire infrastructure from external access to prevent further spread or damage. Lacroix Electronics reported taking immediate measures to secure all of its other sites not initially affected. The public claims by the Alphv group and the subsequent data leak marked the escalation of the incident from a service availability issue to a major confidentiality breach. The full restoration of services and the complete scope of the data compromise were ongoing matters following the initial disclosure period.