Cyber Incident Victim: Fédération Française de Rugby

On the night of June 7 to June 8, 2023, the French Rugby Federation (Fédération Française de Rugby, or FFR) was the victim of a cyberattack. The attack was first publicly reported on June 8, 2023, and was subsequently claimed by the cybercriminal group known as "Play." This group issued a public threat to release confidential information belonging to the FFR if their demands were not met. The attackers specifically claimed to be in possession of sensitive personal data belonging to FFR employees and "clients," which they stated included passport information. The group did not provide specific details regarding the volume of data that had been exfiltrated during the breach, leaving the full scope of the data theft unclear. The cybercriminals set a deadline for negotiation, giving the FFR until June 27 to engage with them, which is a tactic commonly associated with ransomware operations where payment is demanded to prevent public data leakage.

Upon discovery of the incident, the FFR's internal IT teams took immediate action to respond to the threat. Their initial assessment, as communicated to the public, indicated that the attack had primarily affected the organization's email servers. The technical teams worked to quickly eliminate the malicious software that had been deployed on their systems. The federation's response included securing the entire IT infrastructure to prevent further unauthorized access and to stop the spread of the attack. Efforts were made to restore normal system functionality, and the FFR stated that their IT service had successfully secured the system and reestablished its operation following the containment measures.

The FFR was contacted by the media following the cybercriminal group's public claim of responsibility. In their official response, the federation confirmed the timeline of the attack and the nature of their initial response. A significant point communicated by the FFR was that, at the time of their statement, they had not received any formal ransom demand from the attackers. Furthermore, the organization stated a clear policy of non-engagement, declaring that they "would not wish to respond to it should it occur." This position indicated a decision against paying any potential ransom, aligning with the guidance often provided by law enforcement agencies.

Beyond their internal technical response, the FFR engaged with external authorities to manage the situation. The federation reported that they had entered into contact with police services who were accompanying them in the handling of the incident. The FFR emphasized that they were collaborating closely with these law enforcement agencies throughout the investigation and recovery process. This step is a standard procedure in major cyber incidents, allowing for formal investigation and potential attribution while also potentially gaining access to specialized resources and intelligence related to the threat actor.

The incident occurred within a broader context of increased cybercriminal activity, as the same cybercriminal group, Play, was linked to other attacks around the same time period. For instance, just the evening before the FFR attack was made public, the University Hospital Center (CHU) of Rennes had also fallen victim to a cyberattack. While the origins and motivations of the CHU Rennes attack were reported as unknown at that time, the proximity of these two events highlighted the active threat landscape facing French organizations. The Play group operates under a ransomware-as-a-service model and is known for employing double-extortion tactics, where they both encrypt systems and exfiltrate data, threatening to publish it if a ransom is not paid.

The immediate impact on the FFR's operations was stated to be largely contained to their email servers, suggesting that core business functions unrelated to messaging may have been disrupted only minimally or for a short duration. The successful restoration of system functionality by the IT team points to an effective containment and recovery process. However, the potential long-term consequences hinge on the nature and sensitivity of the data allegedly stolen. The claim that employee and client personal data, including passports, was compromised presents a significant risk of identity theft and fraud for the affected individuals, should the data be published or sold by the threat actors.

The FFR's public communications aimed to project control over the situation, acknowledging the attack while assuring stakeholders that measures had been taken to secure systems and that authorities were involved. The absence of a received ransom demand at the time of their statement presents an interesting aspect of the incident, as the threat actor had publicly set a deadline for negotiation. This could imply that communications were occurring through other, private channels, or that the public claim itself was the primary form of pressure. The federation’s definitive statement that they would not negotiate a payment removed the possibility of a private resolution from the public perspective, potentially influencing the threat actor's next steps regarding the data they claimed to hold.

The response timeline shows a rapid reaction from the internal teams upon detection, with measures taken to eliminate the malware implemented swiftly. The engagement with law enforcement represents a secondary phase of the response, focusing on investigation and legal recourse rather than immediate technical containment. The full forensic investigation to determine the initial attack vector, the exact extent of data access, and the completeness of the malware eradication would likely have continued beyond the initial public statements. The collaboration with police suggests a thorough incident response process was underway, adhering to best practices for major cybersecurity events.

As the June 27 deadline set by the Play group approached, the situation would have remained dynamic. The potential for data release constituted an ongoing threat to the privacy of individuals associated with the FFR. The federation's stance of non-cooperation meant that the threat of publication was a tangible outcome. The incident serves as an example of the challenges organizations face when dealing with cybercriminal entities that specialize in data theft and extortion, balancing the need to protect stakeholder data with the principle of not funding criminal enterprises. The final resolution regarding whether the stolen data was ever publicly released or sold was not detailed in the immediate aftermath reports.