Cyber Incident Victim: Ayuntamiento de Sevilla

On or around September 5, 2023, the Ayuntamiento de Sevilla suffered a significant cyberattack that rendered its digital services inoperable. The municipal government identified the perpetrators as the Dutch-origin hacker group LockBit, which is recognized as one of the most prolific ransomware collectives in history. The group employs malicious software specifically designed to block user access to computer systems and subsequently demands a ransom payment to restore that access. In this instance, the attackers demanded a ransom of five million euros from the city council for the recovery of its services and systems. The official stance of the Ayuntamiento, as conveyed by the team of José Luis Sanz, was a firm refusal to negotiate with or pay the cybercriminals, a position consistent with standard practices advised for such incidents.

The impact of the attack was immediate and widespread, crippling the virtual offices of various municipal companies and organizations. This disruption caused a ripple effect, leading to a collapse of the telephone systems as users, unable to conduct business online, urgently attempted to make contact via phone to complete their administrative tasks. One specific service severely affected was the tax collection service of the Agencia Tributaria. With the electronic headquarters inaccessible, officials had to instruct citizens to pay any outstanding fees or fines directly at a bank branch, as digital payment processing was completely unavailable. The attack also forced fundamental changes in the operations of essential emergency services. The incident reporting systems for both the Local Police and the Fire Brigade were rendered useless, compelling personnel to revert to manually writing down and recording all incidents by hand, a significant step backward in efficiency and response tracking.

In a press conference held to inform the public about the ongoing situation, the delegate for Digital Transformation, Juan Bueno, provided technical details regarding the breach. He explained that municipal technicians, working alongside external specialized personnel, had been engaged in continuous efforts to determine the precise origin and full scope of the attack with the ultimate goal of reestablishing normality as swiftly as possible. Bueno also disclosed a critical finding: the technicians had successfully identified the specific computer through which the criminals had gained initial access to the system. Furthermore, while awaiting a final comprehensive report, preliminary indications suggested that the LockBit group had not successfully exfiltrated or accessed the personal data of Seville's citizens, a potentially mitigating aspect of the security breach.

This incident was not the first cybersecurity challenge faced by the Ayuntamiento de Sevilla. During the summer of 2021, the city hall fell victim to a different type of cyber fraud, one that has affected dozens of administrations, institutions, and companies across Spain in recent years. That previous attack was identified as a "Man in the Middle" or intermediary attack. This method involves malicious actors intercepting communications between two parties to access information, which they can then modify at will without the knowledge or consent of the affected parties. In the 2021 event, cybercriminals successfully intercepted communications between the Ayuntamiento and the company awarded the contract for the city's Christmas lighting, demonstrating a persistent vulnerability within the municipal digital infrastructure.

The vulnerability of the Ayuntamiento de Sevilla to such cyber threats had been previously highlighted by national cybersecurity authorities. The National Institute of Cybersecurity of Spain (Incibe), which operates under the Ministry of Economic Affairs and Digital Transformation, had explicitly warned about the high vulnerability of Seville to cyberattacks. In its most recent cybersecurity report for the year 2022, the Incibe alerted that the province of Seville was among the Spanish territories with the highest number of devices vulnerable to cyber incursions. According to a map of vulnerable devices—which includes those affected by malicious software, misconfigured, or undesirably exposed to the internet—the provinces with the most detected vulnerabilities in the past year were Madrid, Barcelona, Valencia, and Seville. With 127,932 vulnerable devices identified, Seville ranked fourth on this concerning national list, providing a clear indicator of the broader security landscape that made it a target for groups like LockBit.

The response to the attack was a coordinated effort involving multiple agencies. The Ayuntamiento worked jointly with the National Police and the CCN-CERT, the National Cryptologic Center, which is responsible for responding to computer security incidents. Meanwhile, the municipal technicians and external specialized staff continued their work around the clock from the moment the attack was discovered to restore functionality. The combination of a high-profile threat actor, a substantial financial demand, a severe operational impact on city services, and a historical context of prior incidents and identified vulnerabilities makes this event a serious cyber incident for the Ayuntamiento de Sevilla. The full restoration of services and a complete forensic understanding of the breach's extent were the immediate priorities for the ongoing investigation and recovery operation.