Cyber Incident Victim: Université Aix-Marseille

On or around June 7, 2023, Aix-Marseille University, the largest university in France with approximately 80,000 students, was hit by a cyberattack. The incident occurred in the middle of the morning, prompting the university's management to send an alert to its professors that the entire network had been compromised. The attack was described by the institution as originating "from a foreign country," though no specific nation or threat actor was identified. The university's security and monitoring systems triggered an immediate alert upon detecting the intrusion. This rapid detection allowed the university's technical services to respond very quickly. The primary response action was to deliberately take the entire university network offline. This action was a containment measure, executed in a bid to interrupt the ongoing attack and to prevent any potential data breaches from being successfully completed.

As a direct consequence of taking the network offline to contain the threat, widespread disruption ensued. The university's main website became inaccessible to both internal users and the public. Internet access across the university's systems was completely cut off. This loss of connectivity significantly impacted the daily operations of the institution. While physical classes were not canceled and continued to run as scheduled, both students and staff were unable to engage in any educational or administrative activities that depended on access to online tools or the university network. This de facto removal of critical work tools affected certain services within the university, hindering their ability to function normally. Staff members were sent home for the day as they could no longer access the network resources required for their work.

The university's communications director, Clara Bufi, stated that the very rapid reaction of the university's services made it possible to avoid potentially significant damage. Management indicated that great damage was averted because of the swift alert and the subsequent decision to disconnect the network. The immediate focus following containment was on recovery and restoration of services. The university initiated its business resumption plan with the intention of gradually restoring network functionality. Activity was expected to resume progressively beginning on Thursday, June 8, 2023, the day immediately following the attack. The university's website was confirmed to be back online by Thursday morning, marking the first step in the recovery process. The communications department indicated that teams were fully mobilized to reestablish the network, though no specific timeline was provided for how long the full restoration process would ultimately last.

The nature of the cyberattack was not officially confirmed by the university. It was not publicly known whether the incident involved ransomware, data theft, or another form of compromise. Similarly, it was not confirmed whether an extortion note or ransom demand had been sent to the institution. The potential for a data breach remained a central concern. A university spokesperson stated that law enforcement had not been formally engaged at that initial stage. However, the university explicitly stated it would inform the relevant judicial authorities if a theft of data was subsequently discovered and confirmed. The incident was noted as part of a broader pattern of cyberattacks targeting large structures in France, including other universities, city halls like those in Lille and Rouen, and hospitals in regions like Brittany. The article also referenced a separate wave of attacks by pro-Russian hackers that had targeted French municipal websites earlier in the spring, though no connection was made between those events and the attack on the university. The response was focused on technical recovery and assessment, with a decision on further legal action pending the outcome of the investigation into whether any data was exfiltrated.