Cyber Incident Victim: Bouygues Telecom
Date:
Mar 2023
Location:
France
Summary
A ransomware attack targeted Bouygues Telecom Entreprises' OnCloud service infrastructure, specifically impacting VMware ESXi hosts running client virtual machines, which paralyzed operations for "a few dozen" customers. The intrusion, suspected to have originated via an exposed vulnerable Citrix Gateway server, encrypted systems without confirmed prior data exfiltration. The company restored service access for 75% of affected clients within days, initiating data recovery processes while asserting no ransom payments would be made. The incident underscores systemic risks to digital service providers (ESNs), as compromise can propagate across client sectors due to their centralized role in hosting critical applications. Bouygues maintained no data leaks occurred and emphasized ongoing cybersecurity response efforts to mitigate disruption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On March 18, 2023, Bouygues Telecom Entreprises detected a ransomware attack targeting its OnCloud service, a cloud hosting platform derived from its 2021 merger of Nerim’s telecommunications division and Keyyo. The attackers directly compromised VMware ESXi hosts running virtual machines for clients, disrupting SaaS applications hosted by multiple businesses. Initial intrusion vectors were suspected to include a Citrix Gateway server in a vulnerable state, exposed as late as March 16, though Bouygues had secured it by the time of public disclosure. Two affected clients—ProTechnologies, an automotive service management application provider, and Innovance Solutions—experienced service outages, with one client’s end users publicly reporting inaccessible systems by March 20. Bouygues confirmed the attack impacted "several dozen" OnCloud customers, attributing the breach to infrastructure historically linked to Boost, a subsidiary acquired by Nerim in 2013. While early intrusion traces were dated to early March 2023, allowing potential attacker dwell time, Bouygues stated no evidence confirmed data exfiltration prior to the ransomware deployment. The specific ransomware family remained unidentified.
Bouygues Telecom Entreprises activated cybersecurity experts to contain the incident, recovering data and restoring 75% of affected clients’ access within days of detection. Clients received direct notifications within 24 hours of discovery, accompanied by remediation guidance. The company publicly refused ransom payments and maintained no data leakage had occurred, though third-party observations raised concerns about the pre-attack exposure of the Citrix system. The incident underscored broader vulnerabilities in digital service providers (ESNs), aligning with French cybersecurity agency ANSSI’s 2022 warnings about sector-wide risks due to such providers’ interconnected client ecosystems. This attack mirrored prior disruptions affecting ESNs like ITS Group and Akka Technologies, reinforcing patterns of threat actors targeting shared infrastructure to amplify collateral damage across dependent organizations. Bouygues emphasized ongoing client updates and full remediation efforts without operational concessions to attackers.