Cyber Incident Victim: Merlevenez

The commune of Merlevenez in the Morbihan department suffered a sophisticated cyberattack in mid-March 2025, which began with a phishing email. According to Gwenaël Chauvel, the Director General of Services (DGS), the initial vector was an email from a known supplier containing an unreadable attachment. Despite his own digital literacy and prior cybersecurity training from the French National Agency for the Security of Information Systems (ANSSI), Chauvel opened the attachment, inadvertently granting the attackers a foothold within the municipal network. The hackers then deployed two remote access spyware tools onto the compromised computer. These tools allowed them to establish persistent, discreet control, enabling them to move laterally across other networked workstations without visible signs of intrusion, as observed later by the community's IT manager. This stealthy access permitted the attackers to monitor internal email communications between municipal services and various businesses over an undetermined period. During this reconnaissance phase, they systematically harvested sensitive data, including employee identities, email addresses, and crucially, client account credentials and codes associated with the commune's commercial relationships.

Armed with this stolen information, the attackers executed the financial fraud component of their operation on March 12, 2025. They impersonated the DGS to place two large, fraudulent orders with reputable national companies. The first attempt targeted Bouygues for telephone lines worth 25,000 euros, and the second targeted Lenovo for computer and multimedia equipment exceeding 125,000 euros. Both transactions were flagged as suspicious by the vendor companies. Their vigilance was prompted by the unusual nature of the orders; for instance, the commune had recently upgraded its telephone system, making a large new order seem incongruous. The vendors independently contacted the real DGS, Gwenaël Chauvel, to verify the requests, a action that immediately exposed the impersonation and halted the attempted purchases. Concurrently, the municipal investigation revealed a parallel attempt to manipulate financial transfers. The hackers had obtained genuine invoices from the commune and attempted to fraudulently alter the bank account details (RIB) on them. This "false RIB" technique aims to redirect legitimate payments into accounts controlled by the criminals. As explained by Guillaume Chéreau of Breizh Cyber, the regional cybercrime unit, once funds are transferred abroad, recovery within a 48-hour window is often impossible. The combination of vendor skepticism and the commune's internal review prevented any monetary loss. Following the discovery of the full scope of the intrusion—including the data theft and the attempted RIB fraud—the commune of Merlevenez and the DGS individually filed official complaints for computer piracy and identity theft, respectively. The incident was subsequently highlighted by regional authorities and law enforcement as a case study in the escalating cyber threats facing local governments, underscoring the importance of supplier verification and scrutiny of unexpected financial detail changes.