Cyber Incident Victim: Verhelst Group
Date:
Sep 2023
Location:
Belgium
Summary
Verhelst Group, a construction firm with multiple locations, experienced a cyberattack that severely disrupted operations by halting customer communications and obscuring inventory, production, and transport oversight. Personnel resorted to using recovered mobile devices and manual processes like pen-and-paper record-keeping to maintain basic functions, while mandatory remote work was temporarily imposed. The company declined negotiations with attackers, instead collaborating with national security and external ICT professionals to gradually restore systems using data retrieved from their cloud. Operations recovered to approximately 90% functionality, though irrecoverable losses included a historical photo database spanning nearly a century, described as an emotional setback. Post-incident infrastructure changes eliminated physical servers to mitigate future risks, and heightened cybersecurity awareness was emphasized.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Verhelst Group, a Belgian construction company headquartered in Oudenburg with regional branches across West Flanders and other locations, experienced a significant cyberattack around September 18, 2023. The attack disrupted operations across all eleven company sites, completely severing customer communication channels and paralyzing internal inventory and transportation management systems. Employees lost visibility into material stock levels, production schedules, and logistics, forcing a segment of staff into mandatory temporary leave due to operational paralysis. The company’s leadership refused payment negotiations with the threat actors on ethical grounds, immediately reporting the incident to Belgian State Security authorities while mobilizing internal IT staff and external cybersecurity professionals for forensic analysis and system triage. Emergency measures included deploying recovered legacy mobile devices and reverting entirely to paper-based administrative processes to sustain minimal functionality. Warehouse teams manually inventoried physical stock using printed records, enabling the continuation of customer pickups for urgent orders during the initial disruption phase.
Gradual system restoration spanned approximately fourteen days, coordinated by State Security specialists alongside Verhelst’s technical recovery team. Investigators prioritized extracting operational data from the company’s cloud storage environment to rebuild replacement software platforms while isolating compromised components. By the incident’s resolution phase in early October, the company had restored 90% of normal operations through this cloud-centric recovery strategy, avoiding permanent reliance on on-premises servers. Longer-term impacts included the irreversible loss of a century’s worth of historical project photographs archived in databases unrecoverable from affected systems—a loss described as particularly devastating given the company’s imminent centenary. Leadership publicly emphasized organizational lessons around cloud migration for cyber resilience and advocated third-party security audits via government-endorsed “Cyberfundamentals” frameworks, citing multi-hour crisis management meetings during recovery as justification for proactive preparedness investments. Staff cohesion reportedly strengthened throughout the response despite sustained interruptions requiring improvised operational workflows for critical business continuity.