Cyber Incident Victim: CAPSO
Date:
Jun 2023
Location:
France
Summary
The municipality of Saint-Martin-lez-Tatinghem experienced a ransomware attack targeting its digital systems, prompting immediate containment measures by CAPSO to isolate affected machines and disconnect internet access. While critical services like schools and technical departments remained operational, email systems and municipal operations at the town hall faced significant disruptions, with partial data encryption and potential theft of personal information. Authorities opted against paying the ransom, collaborating with cybersecurity and law enforcement agencies to investigate the breach and restore secure access to preserved documents. Public advisories were issued regarding possible fraudulent use of compromised data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On June 21, 2023, the municipal systems of Saint-Martin-lez-Tatinghem experienced a ransomware attack that disrupted operations. The intrusion involved malware designed to encrypt files and demand payment for decryption. CAPSO, the municipality’s digital service provider, detected initial network irregularities and initiated containment measures, including isolating all affected machines and severing internet connectivity to prevent further propagation. Coordination began immediately with the Hauts-de-France Regional Cyber Incident Response Team (CSIRT), the National Gendarmerie, and CAPSO to assess the breach. By June 23, preliminary analysis confirmed the attack had compromised a subset of data, though full diagnostic details regarding the intrusion’s origin and severity remained under investigation. The municipality publicly disclosed the incident that day, noting most services were impacted but maintained through adapted workflows, with email systems temporarily disabled and citizens directed to contact officials via phone or in-person visits.
The attack primarily targeted municipal services at the town hall on Place Cotillon Belin, where encrypted documents required gradual, secure restoration. Other infrastructure, including technical services, libraries, schools, the Maison du Rivage facility, and the eTicket cafeteria and daycare reservation system, remained operational. By June 28, authorities confirmed no ransom would be paid to avoid legitimizing the attackers’ actions, though they acknowledged probable exfiltration of personal data, prompting a formal report to France’s data protection authority (CNIL). Recovery efforts prioritized phased reactivation of secured systems, with email access partially restored but causing delays in processing communications received since June 21. Public advisories urged vigilance against phishing or fraud attempts leveraging stolen data, directing citizens to report suspicious activity to cybermalveillance.gouv.fr and update compromised credentials. The Gendarmerie’s investigation continued to determine the scope of data theft, while municipal updates were disseminated via the city’s website and Facebook page.