Cyber Incident Victim: Angoulême

On July 24, 2023, the municipal and inter-municipal services of Angoulême, a city in the Charente department of the Nouvelle-Aquitaine region in France, were subjected to a significant cyberattack that resulted in a complete operational paralysis. The attack targeted the information technology systems of both the City of Angoulême and the Grand Angoulême agglomeration community, which is the wider metropolitan administrative body. This incident caused a severe disruption to the normal functioning of these public institutions, crippling their ability to provide services and communicate effectively. The primary manifestation of the attack was the total outage of internet and telephone networks, which persisted for a substantial portion of the day, effectively severing the digital lifelines of the local government and isolating it from the public it serves. The scale of the disruption was such that core administrative functions were brought to a standstill, highlighting the critical dependency of modern municipal operations on digital infrastructure and the profound vulnerability to such malicious acts.

The initial entry point for the attackers was identified as a malicious email that was interacted with by an employee. It was reported that a staff member clicked on a link within an email, an action that inadvertently provided the threat actors with the foothold they needed to infiltrate the network. This method of initial compromise is a common tactic in cyber intrusions, often referred to as phishing, where social engineering is used to trick individuals into performing actions that undermine security protocols. The simple act of clicking a link served as the catalyst for the entire incident, demonstrating how human factors can often be the weakest link in an organization's cybersecurity posture. Once this initial breach was achieved, the attackers were able to move laterally within the system, deploying their payload and establishing control over key network components, which ultimately led to the widespread shutdown of services.

As a direct consequence of the attack, the official websites for both the City of Angoulême and the Grand Angoulême agglomeration community were forced offline. These digital platforms are essential portals for citizen engagement, providing information, facilitating access to public services, and enabling various administrative procedures. Their unavailability meant that residents could not access these routine services online, creating immediate inconvenience and potentially delaying important municipal business. The prolonged nature of the outage, with the websites remaining inaccessible at the time the report was filed, indicated the severity of the compromise and the complexity of the remediation process required to securely restore functionality. The IT teams responsible were faced with the daunting task of not only recovering systems but also conducting thorough investigations to understand the full scope of the breach and ensure the attackers' presence was entirely eradicated.

The impact of the cyberattack extended beyond the city's own services, directly affecting the operations of the Grand Angoulême agglomeration community. This collateral damage occurred because the IT systems of the agglomeration are directly interconnected with those of the City of Angoulême. This interconnectedness, while efficient for day-to-day operations and data sharing, created a single point of failure that the attackers successfully exploited. The incident serves as a stark reminder of the risks associated with highly integrated IT architectures in public administration, where a breach in one entity can rapidly cascade into a broader crisis, compromising the operations of multiple linked organizations. The agglomeration community, responsible for services across a wider geographic area, found its capabilities equally paralyzed, amplifying the overall disruptive effect of the attack on public services throughout the region.

In response to the incident, the authorities took formal legal action by filing a complaint with the Angoulême commissariat, the local police station. This step is a standard procedure following a criminal act such as a cyberattack and initiates an official law enforcement investigation. The filing of a complaint signifies the seriousness with which the city authorities treated the breach and their intention to pursue legal recourse against the perpetrators. It engages the machinery of the state in the investigation, potentially bringing in specialized cybercrime units to assist in attributing the attack and identifying those responsible. This legal process runs parallel to the technical recovery efforts, forming a crucial component of the overall response to the incident.

With online services completely disabled as a direct result of the attack, the city administration had to swiftly implement contingency measures to maintain a baseline level of service for its citizens. The solution was to revert to traditional, in-person service delivery. The city communicated that residents could still access municipal services by visiting city hall directly. This shift to a physical mode of interaction ensured that critical services could still be rendered, albeit in a less efficient and more resource-intensive manner. It required citizens to expend more time and effort to conduct their business, and it placed additional strain on city staff who had to manage operations without their usual digital tools. This fallback to analog procedures underscores the profound disruption caused by the attack and the necessity for robust business continuity plans that can be activated in the event of a total digital failure.

The incident paralyzed the institutions for a great part of the day, indicating a sustained period of inactivity and recovery efforts. The duration of the outage suggests that the attack was not a minor disruption but a significant event that required considerable time to assess and begin to address. IT personnel and relevant officials would have been engaged in urgent response activities, including isolating affected systems to prevent further spread, analyzing the nature of the attack, and beginning the painstaking process of restoring systems from clean backups. The fact that telephone services were also knocked out compounded the challenges, as it hampered internal coordination and made it more difficult for the public to contact the administration to inquire about the situation or seek assistance, further exacerbating the sense of disruption and uncertainty caused by the event.