Cyber Incident Victim: Météo-France
Date:
Apr 2023
Location:
France
Summary
Météo-France was the victim of a cyber attack that targeted its domain name system with a denial-of-service attack. This caused significant disruption by preventing public access to its websites and mobile application, and also impacted extranets for institutional clients and teleworking tools. Technical teams responded immediately and successfully restored service. Throughout the incident, the organization's core forecasting mission for public safety remained fully operational, including the production and dissemination of vital weather products.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On the evening of Tuesday, April 11, 2023, Météo-France, the French national meteorological service, became the target of a significant cyber attack. The incident persisted throughout the night and into the following day, with service being restored during the afternoon of Wednesday, April 12. The nature of the attack was identified as a denial-of-service attack specifically targeting the organization's domain name system (DNS) management infrastructure. This type of attack functions by overwhelming servers with an immense and sustained volume of requests, effectively saturating their capacity and preventing them from responding to legitimate traffic.
The primary impact of this saturation was the effective inaccessibility of Météo-France's public-facing digital services. The main websites intended for the general public, which provide weather forecasts and warnings, were rendered nearly impossible to access for the duration of the attack. Furthermore, the official Météo-France mobile application, a key tool for public weather information dissemination, was similarly affected and experienced the same widespread service interruption. Beyond the public services, the attack also impacted internal and partner-facing systems. The extranets utilized by Météo-France's institutional and commercial clients, which contain specialized meteorological information and data, were also compromised and became unavailable. Additionally, the means for remote work, referring to the internal systems and virtual private networks used by Météo-France employees for teleworking, were also caught in the scope of the incident and affected by the service disruption.
Despite the severe disruption to its public and internal digital platforms, Météo-France's core operational mission of ensuring public safety through weather forecasting remained fully functional throughout the entire incident. The technical teams confirmed that the chain of meteorological production was completely undisturbed. This chain begins with the critical reception of observational data from various sources like satellites, radars, and weather stations. It then proceeds to the computation and running of highly complex numerical weather prediction models on the organization's supercomputers. Finally, the process culminates with meteorologists and forecasters utilizing the output from these models to analyze and interpret the data. None of these essential steps were interrupted by the denial-of-service attack targeting the domain infrastructure.
To ensure the continuity of its vital safety services, Météo-France employed alternative dissemination channels for its key products. The organization was able to continue producing and distributing all forecast outputs. Most importantly, the Vigilance map, a crucial public safety tool that issues color-coded weather warnings for phenomena such as floods, storms, and extreme cold across all departments of France, was maintained without interruption. This essential product was shared directly with state services and emergency responders through established secure channels. Furthermore, Météo-France leveraged its social media presence on platforms like Twitter to publicly broadcast the Vigilance map and other critical updates, ensuring the information reached the public despite the inaccessibility of its primary websites.
The technical response to the attack was immediate and sustained. Upon detection of the incident, Météo-France's technical teams mobilized to analyze, mitigate, and ultimately neutralize the attack. Their efforts were focused on countering the massive influx of malicious requests overwhelming the DNS servers. Through these dedicated response actions, the teams successfully managed to restore full access to all affected services by the afternoon of April 12, bringing an end to the period of disruption. The organization's public communication following the incident emphasized that the attack was solely a denial-of-service incident and did not involve any data breach, exfiltration, or intrusion into its internal data systems, confirming the integrity and confidentiality of its meteorological and user data remained intact throughout the event.