Cyber Incident Victim: Government of Martinique (Collectivite Territoralie de Martinique)

On May 16, 2023, a cyberattack impacting the Collectivité Territoriale de Martinique, the government of Martinique, was detected. The Rhysida ransomware group subsequently claimed responsibility for the attack, adding the government to its data leak site. This group had first emerged earlier in the same month of May, and the Martinique incident represented one of its earliest publicly claimed operations. Upon discovery of the intrusion, the Community's response team immediately implemented measures to isolate the entire information system from the attackers. This decisive containment action, while necessary to halt the progression of the attack, resulted in a severe disruption to the government's operational activities, directly impacting its users, citizens, and partner organizations.

The full technical scope and initial attack vector used by the Rhysida group against Martinique were not detailed in public statements. The group's leak site provided a listing of files that appeared to be government-related, as evidenced by screencaps, but the ransomware actors did not offer any summary detailing the types or volume of data exfiltrated. Unlike some other ransomware operations, Rhysida did not list victims with a timer or a warning prior to leaking data; the only entries on their site were for victims whose data had already been published. The Martinique listing was one of only four victims on the site at the time, alongside an English school, a Swiss manufacturer, and an Australian immunodiagnostic technology firm, indicating no clear sectoral focus for the nascent group.

In response to the crisis, the government teams, accompanied by external cybersecurity experts, mobilized to conduct a forensic investigation to identify the root causes and full extent of the attack. A primary objective was the gradual restoration of critical services, with priority given to the domains of finance, solidarity, and education. The continuity plan was activated to manage the widespread unavailability of digital platforms. For solidarity services, which include the distribution of social benefits, the Collectivity focused all efforts on ensuring these crucial payments would still be made to citizens who relied on them, despite the crippled IT environment.

The attack profoundly affected the education sector. Internet access for colleges and high schools was severed due to the isolation of the information system. Technical teams worked to establish alternative solutions to restore connectivity. Coordination between the services of the rectorate and the CTM was necessary to ensure the good performance of student exams, which proceeded under the altered technological circumstances. The financial operations of the government were also severely hampered. A specific recovery milestone was announced, stating that from the Thursday following the attack, the Community would regain the ability to issue purchase orders and process the payment of bills. However, this resumption of activity required a shift to paper-based processes; all bills and financial documents had to be filed in physical format through the “mail” service located at Plateau Roy.

This reversion to manual, paper-based workflows extended to other government functions. The platforms dedicated to handling applications for aid and subsidies were rendered completely unavailable. Consequently, the filing of all requests for assistance had to be conducted in paper format and submitted to the same “mail” service at Plateau Roy. This significant operational downgrade undoubtedly slowed administrative processes and placed a greater burden on both citizens and government employees. The government communicated these measures and the status of the incident through a notice posted on its official Facebook page on May 24, 2023, which was eight days after the initial detection of the attack. This notice served as the primary public acknowledgment of the cyberattack and outlined the initial response and recovery steps being taken.

There was no indication from the government's Facebook page of any further public updates following the May 24 posting. External attempts to gather additional information were met with silence. DataBreaches.net sent an email to the Martinique government containing a number of questions about the claimed attack and the subsequent data leak but did not receive a reply by the time of its publication. Similarly, an attempt to contact the Rhysida ransomware group to inquire whether they had encrypted Martinique’s files and if any negotiation attempts had occurred also yielded no response. The available evidence, including file creation dates within the leaked data set dating to shortly before May 16, suggested that Rhysida did not operate with a prolonged negotiation period and moved quickly to publish the stolen data.

The incident highlighted the disruptive potential of ransomware attacks against government entities, forcing a temporary but complete shift to analog operations for critical financial and social functions. The full consequences, including the potential exposure of sensitive citizen data contained within the leaked files, were not explicitly detailed by the government. The focus of public communication remained on the restoration of services and the implementation of workarounds to maintain government continuity. The involvement of external cybersecurity experts was confirmed, though the specific firms assisting were not named. The attack on the Collectivité Territoriale de Martinique stood as an early marker in the activity of the Rhysida ransomware group, a new actor whose tactics, techniques, and procedures were still being analyzed by security researchers at the time of the incident.