Cyber Incident Victim: Montpellier
Date:
Jul 2023
Location:
France
Summary
A cyberattack targeted Montpellier-Méditerranée Airport, forcing its internal systems offline for several hours. The attack was described as very violent and required staff to manually process baggage and boarding. While no flights were canceled, some experienced minor delays. An investigation was launched with authorities notified, and a complaint was filed. Initial technical findings indicated no data breach occurred as a result of the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In the early hours of the morning on Sunday, July 2, 2023, the Montpellier-Méditerranée Airport in the Occitanie region of France was subjected to a significant and severe cyberattack. The incident, described by a management official as a "very violent" cyberattack, targeted the airport's internal computer systems, causing widespread disruption to its operations. The attack was severe enough to render all internal systems inoperable for a period of several hours, forcing airport management and staff to organize and execute all operations manually to maintain a semblance of normalcy. This manual intervention was necessary to handle critical processes that are typically automated, including baggage handling and passenger boarding procedures. Despite the severity of the systems outage, all flights scheduled for that Sunday were ultimately able to operate, though they did experience some minor delays as a direct result of the manual processing requirements. The president of the airport's executive board, Emmanuel Brehmer, when contacted, did not explicitly confirm the malicious act but did acknowledge the airport was experiencing "some computer difficulties, which caused slight delays in traffic."
The immediate impact of the attack was a significant degradation of operational efficiency. With no digital systems functional, there were no electronic display boards operational, and every check-in and boarding procedure had to be conducted by hand. Staff were required to verify passenger tickets manually, often needing to confirm details over the telephone, which substantially lengthened the time required for passenger processing. The baggage handling systems were also non-operational, necessitating the manual loading and unloading of luggage onto aircraft. This shift to entirely manual operations created noticeable delays and inconveniences for travelers, though the airport's primary function of facilitating air travel was never completely halted. The situation was deemed serious enough by airport authorities to trigger their crisis management plan, which included notifying competent state security services of the incident on Sunday morning. Furthermore, a formal declaration was made to the French data protection authority, the CNIL, and a complaint was subsequently filed with the Gendarmerie on Tuesday afternoon, initiating a formal law enforcement investigation into the origins and perpetrators of the attack.
In the days following the initial attack, airport leadership worked to provide reassurance to the public and their partners. Emmanuel Brehmer issued a statement confirming that the situation was under control and that the airport possessed backups of its systems. As a precautionary measure, the airport’s technical team, supported by an expert cybersecurity partner, made the decision to proactively disconnect systems that were not initially impacted by the attack to prevent any potential lateral movement or further damage by the threat actors. These technical teams were described as being fully mobilized and working relentlessly since Sunday to gradually restore the airport's full suite of services. The restoration process was expected to be gradual, with officials anticipating that internal systems would return to their normal functioning gradually over the course of the following week. While some flights continued to experience minimal delays in the subsequent days, all air links were maintained without cancellation throughout the incident period.
A central concern following any such breach is the potential compromise of sensitive data. According to the initial technical elements available to the airport's investigation team, there was no indication that a data leak had occurred. Despite this preliminary assessment, which suggested passenger and employee personal information had not been exfiltrated, the airport management recommended that all individuals remain highly vigilant as a standard precaution. The nature of the attack led to speculation regarding the motives behind it. While no specific ransomware group or threat actor was identified in the immediate aftermath, the incident was considered serious enough to potentially be a racketeering effort, a common motivation with such disruptive cyber actions. This possibility, however, was not confirmed by official sources, with Emmanuel Brehmer declining to comment on the hypothesis. The event was noted as being unprecedented in its scale for the airport, marking the first time it had suffered an attack of such magnitude, prompting a comprehensive security investigation to determine its precise origin and the methods used by the attackers. The collaborative effort between the airport's technical staff, external cybersecurity experts, and state security services continued to focus on full recovery and a thorough forensic analysis to understand the complete scope of the incident and to bolster defenses against future attacks.