Cyber Incident Victim: Concello de Cangas

The Concello de Cangas suffered a severe cyberattack that was detected in the week prior to May 31, 2023. Municipal staff began to notice that data and files necessary for the day-to-day management of the town council were being deleted. Upon technical investigation, it was confirmed that this was a full-scale attack. The incident directly targeted the municipality's payroll system, rendering the local government unable to process the monthly salaries for its 229 employees. This payroll amounts to approximately half a million euros each month, with individual salaries ranging from 1,200 to 4,000 euros.

The attack was attributed to an alleged international band of cybercriminals who utilized a high level of encryption to lock the system. The attackers deployed a ransomware strain, identified as Lockbit, and subsequently made a financial ransom demand in exchange for unlocking the compromised systems. The specific amount of the ransom demand was not disclosed publicly. The attack resulted in the destruction of vast quantities of data, including security backups, which significantly complicated recovery efforts and heightened the severity of the incident.

Following the confirmation of the attack, the Concello's governing team, led by acting deputy mayor and councilor for finance Mariano Abalo and mayor Victoria Portas, initiated its response protocol. A formal complaint was filed with the Guardia Civil, and the matter was reported to the Centro Nacional de Inteligencia (CNI), specifically the intelligence services of the Centro Criptográfico Nacional (CCN), in accordance with the established protocol for public administrations. Both the CNI and the Guardia Civil took an active role in the investigation, though the outcomes of their initial inquiries were not publicly known at the time of reporting.

The primary and most immediate impact of the incident was the inability to pay employee wages for the month of May. The 229 affected municipal workers include 43 civil servants and 186 permanent and temporary contract staff. These employees were left waiting for a resolution to receive their salaries, with the local government working against the clock to normalize the situation. The Concello engaged its external IT services provider, the company responsible for maintaining the payroll program, in an intensive effort to restore system functionality without capitulating to the ransom demand.

The local government expressed confidence that salaries could be deposited into employee bank accounts by the end of the day on Thursday, June 1, or by Friday, June 2. The technical work focused on bypassing the encrypted systems to facilitate the payment of wages as soon as possible, ensuring employees would not face prolonged financial hardship due to the attack. This incident was not the first cybersecurity intrusion experienced by the Concello de Cangas; the municipality had previously suffered virus intrusions. However, those prior incidents were detected in time through patching programs and did not result in significant consequences for the normal functioning of the institution, unlike the severity of this attack.

The timing of the attack, occurring just days before the scheduled local elections, raised questions regarding a potential political motive aimed at sabotaging or influencing the electoral process. Councilor Abalo publicly stated that they did not know if the attack was intentionally timed with this goal, merely noting the coincidence of its occurrence prior to the polls. The incident was contextualized within a broader trend of similar attacks against Spanish public administrations and private companies in the surrounding Vigo region, where cybercriminals leverage the critical nature of operational downtime to extort significant financial payments.