Cyber Incident Victim: Axido
Date:
Jun 2024
Location:
France
Summary
Axido, a French digital services provider, experienced a ransomware attack resulting in partial encryption of clients' hosted production environments. The company isolated its systems, engaged an independent cybersecurity expert recommended by national authorities, and initiated investigations without contacting the attackers. Restoration efforts are underway using pre-encryption data, though the process remains protracted due to necessary security validations, infrastructure reconstruction, and data transfer complexities. While no evidence of sensitive data exfiltration has been found, the incident severely disrupted client operations, particularly affecting hosted business applications. A formal complaint was filed with relevant authorities as recovery continues under stringent security protocols.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Axido, a French IT services company within the Proxiteam group, experienced a cyberattack first detected around June 12, 2024, when the company was alerted to a potential compromise of privileged access credentials. This followed reports days earlier of similar access credentials for a French digital services firm being sold on cybercrime forums, circumstantially matching Axido’s profile. The company promptly isolated its entire information system to contain the breach, causing its websites and communication channels to become inaccessible. Clients were notified via email of a security incident, while phone support referenced an unspecified "security incident" as the reason for service disruptions. Axido confirmed the cyberattack in an initial statement, emphasizing efforts to mitigate impacts and launching an investigation with an independent cybersecurity firm recommended by France’s National Cybersecurity Agency (ANSSI). Competent authorities were contacted, and the company planned to file a formal complaint, though no evidence of data theft or leakage was identified at this stage. The attack’s complexity necessitated thorough analysis to determine its origin, methods, and full scope before any restoration could begin.
By June 20, 2024, Axido confirmed ransomware was used to partially encrypt production environments hosting client systems, though it did not disclose the ransomware variant or affiliated groups. Adhering to ANSSI guidelines, the company refused to engage with the attackers. While Axido possessed intact pre-encryption data backups, these required rigorous analysis to avoid reintroducing compromised access points used by the attackers. Restoration efforts commenced but faced significant delays due to the time-intensive processes of secure data transfers, infrastructure reconstruction, and forensic investigations. Hardware critical to securing data remained sequestered for analysis, further prolonging recovery. Axido explicitly avoided committing to timelines for fully restoring client environments, acknowledging the process would be "very long" and directly impacting clients reliant on hosted business applications. The company recognized the operational and reputational strain on affected clients, paralleling its own operational challenges, but prioritized comprehensive security measures over expediency. The incident underscored the cascading disruptions caused by ransomware attacks on managed service providers, where compromised infrastructure delays recovery for multiple dependent organizations.