Cyber Incident Victim: Municipality of Herselt

On Wednesday, April 5, 2023, the municipality of Herselt was victimized by a cyber attack. The initial assessment indicated the potential impact was limited. As an immediate containment measure to prevent further damage, the municipal IT system was deliberately disconnected from the internet. Preliminary investigations suggested that the municipality's data remained safe and had not been compromised. External cybersecurity experts were engaged to conduct a thorough forensic examination of the servers to determine the full scope and nature of the incident. The municipal administration announced the closure of its services located in VTC de Mixx, the library, the town hall, and the OCMW (Public Centre for Social Welfare) for the remainder of the week. A tentative timeline was established, with the goal of restarting services by the following Tuesday, April 11. During this disruption, the municipality could only be contacted via telephone at two numbers: 014 53 90 00 for general municipal inquiries and 014 54 89 91 for the OCMW. The email system was completely inoperable, and the municipality could not receive any external electronic communications. A dedicated phone line, 0471 41 02 16, was established to field questions from the public regarding the incident and the ongoing service disruptions.

By Friday, April 7, the investigation had progressed, yielding a more detailed understanding of the attack vector. Officials clarified that the breach did not originate from a failure of their security supplier. Instead, the intrusion was facilitated through an external software supplier. To optimize municipal operations, these external suppliers were granted access to one or more servers using specific login credentials. The investigation revealed that the login credentials of one particular external software supplier had been compromised and leaked, although the method of this leakage was not specified. This stolen access provided the threat actors with a pathway to infiltrate one of the municipality's servers. In response to this finding, the municipality confirmed that these types of direct external access points had been identified and permanently blocked to prevent a recurrence of this specific attack method. The work to investigate which specific data may have been exfiltrated continued in collaboration with external digital forensics experts.

The following Tuesday, April 11, the municipality provided a significant update, announcing that all services were once again operational. This marked a restoration of normalcy after a week of significant disruption. The statement included an apology for the problems caused and acknowledged the considerable inconvenience experienced by residents. The investigation into the data aspect of the incident had advanced, allowing the administration to confirm they had established an overview of the information that was copied by the attackers. The characterization of the stolen data was that it was "mainly about relatively innocent and non-sensitive information." However, a critical exception to this general assessment was noted: a very small percentage of the copied data was considered an exception to this rule, implying it was sensitive in nature. The municipality committed to doing everything possible to directly inform the individuals affected by this specific subset of compromised data as quickly as possible. The full nature of this sensitive data was not disclosed publicly.

The operational impact of the cyber attack was severe and multifaceted, causing serious disruption to the delivery of essential public services. The complete disconnection from the internet was a necessary but drastic containment action that rendered numerous digital services inoperable. The physical closures of key administrative buildings, including the main town hall and the social welfare office, extended throughout the entire week following the attack. This prevented residents from conducting in-person business and accessing government services. The inability to receive external emails created a major communications gap, hindering official correspondence with citizens, businesses, and other government entities. The reliance on a limited telephone system became the sole point of contact, likely leading to delays and backlogs. The statement from April 11 indicated that the return to full operations was a gradual process, restarted step by step, which suggests a careful and methodical recovery to ensure stability and security.

The root cause analysis pointed decisively to a supply chain compromise. The attack was not a direct penetration of the municipality's own cyber defenses but was executed indirectly through a third party. An external software supplier, which had been granted privileged access to municipal servers to perform its duties, became the weak link. The compromise of that supplier's login credentials was the critical enabling factor that allowed the threat actors, referred to as hackers, to gain unauthorized entry. This highlights a dependency on third-party security practices and the risks associated with providing external entities with direct server access. The municipality's response included a direct action to mitigate this specific risk by blocking all such direct access routes, indicating a change in policy regarding how external vendors connect to and interact with the municipal IT environment.

The data breach, while described as mostly non-sensitive, still constituted a compromise of municipal information. The confirmation that data was copied signifies that the incident was more than a simple disruption or ransomware event; it involved data exfiltration. The acknowledgment that a small percentage of the data was sensitive enough to warrant direct individual notification to affected persons is a crucial detail. It confirms that personal data was involved, though the exact type—such as personal identifiable information, financial data, or health information—was not elaborated upon. The commitment to inform those impacted is a key component of the response, aligning with data breach notification principles and obligations. The forensic investigation was central to understanding the scope of the copied data and identifying the specific individuals who needed to be notified due to the exposure of their sensitive information.

The overall response strategy involved a combination of immediate containment, forensic investigation, external expertise engagement, and gradual restoration. The first action was to isolate the compromised systems by severing the internet connection, a classic incident response procedure to stop ongoing data theft or malware spread. Engaging external experts was essential for conducting a proper forensic analysis to determine the attack's entry point, its scope, and its impact. Communication with the public was maintained through the municipal website and dedicated phone lines, providing updates as new information was confirmed. The recovery process was managed cautiously, bringing systems back online in a controlled manner to ensure they were clean and secure. The restoration of all services by April 11 indicates a recovery timeline of approximately six days from the initial attack, though the process of notifying individuals about the sensitive data breach likely continued beyond that date. The incident served as a catalyst for reviewing and changing access controls for third-party suppliers to prevent future breaches of a similar nature.