Cyber Incident Victim: Université Paris 8 Vincennes-Saint-Denis

On or around May 21, 2023, the official website of Université Paris 8 Vincennes-Saint-Denis was compromised in a cyberattack. The incident rendered the primary university website inaccessible for a prolonged period, beginning around midday on that Sunday. The website's usual content was replaced with a political message written in English. The displayed text was hostile towards Ukraine within the context of the ongoing Russo-Ukrainian war and included the statement, "Vive la russie et la France fuck lukraine […]". The message contained a notable spelling error in its target, "lukraine" instead of "Ukraine". This defacement constituted the primary action of the attackers, making the political statement publicly visible to visitors of the site.

While the attack shared a common political motivation with other incidents targeting French institutions, its methodology differed significantly from the widespread Denial-of-Service (DDoS) campaigns attributed to pro-Russian groups. Notably, the attack on the university was not officially claimed by any group as of May 22, 2023, at noon. This lack of a public claim distinguished it from other attacks, such as those on the French National Assembly and the Senate, which were publicly claimed by the pro-Russian collective "NoName057(16)". That group had employed DDoS methodologies, which function by overwhelming a website's servers with traffic to force it offline. In contrast, the Paris 8 incident involved a direct website defacement, indicating a different technical approach that allowed for content modification rather than simple takedown.

A particularly unusual aspect of this defacement was the inclusion of a functional hyperlink within the hackers' political message. Alongside the anti-Ukraine sentiment, the attackers provided the specific web address where the university's Moodle platform could still be accessed. Moodle is a crucial online educational tool used for distributing course materials, presentations, and maintaining calendars of deadlines for both students and teaching staff. The timing of the attack was notable as it occurred during a holiday weekend in May, a period immediately preceding final examinations for many students. The continued operation of the Moodle platform was therefore critical for academic continuity, allowing students to access vital resources for their studies and revisions despite the main website being compromised.

This specific action of leaving the Moodle platform operational and directing users to it led to speculation about the possible profile of the threat actor. The nature of the attack, combining a political message with a seemingly considerate act towards the university's student body, raised the possibility that the perpetrator could have been an insider, such as a student or a member of the teaching staff. This individual may have sought to broadcast a political message without intending to completely disrupt the academic process, particularly during the critical exam period. However, no evidence was available to confirm this hypothesis, and the origin of the attack remained officially undetermined.

The impact of the incident was primarily the prolonged unavailability of the university's main website and the reputational damage associated with its public defacement. The site remained inaccessible for many hours throughout the day on May 21st. The restoration process was undertaken, and the situation appeared to have returned to normal by the morning of May 23, 2023, indicating a containment and recovery period of approximately two days. The response actions involved university IT personnel or external consultants working to remove the malicious defacement code, restore the original website content, and ensure the system's security was reinstated. No additional technical details regarding the initial vector of the attack, such as a specific vulnerability exploited, were disclosed in the available reporting. Similarly, no information was provided concerning potential data breaches or other system infiltrations beyond the surface-level website defacement. The incident was reported upon by major French media outlets, including Le Parisien and BFMTV, highlighting its public visibility. This event added to the growing list of French institutions targeted by politically motivated cyberattacks since the beginning of the Russo-Ukrainian conflict, though its unique characteristics set it apart from the more common DDoS attacks attributed to known collectives.