Cyber Incident Victim: Bretagne
Date:
Mar 2025
Location:
France
Summary
The municipality of Merlevenez suffered a cyber intrusion in which attackers gained remote control of its computers and monitored internal communications. Using stolen credentials they attempted to order telephone services worth about twenty‑five thousand euros from one provider and computer equipment exceeding one hundred twenty‑five thousand euros from another, but the vendors contacted the legitimate director and thwarted the fraud. The attackers also tried to alter the municipality’s bank details on genuine invoices to divert payments, prompting the filing of complaints for hacking and identity theft.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid‑March 2025 the commune of Merlevenez in the Morbihan department suffered a cyberattack when an employee opened an email attachment that appeared to come from a supplier. The attachment was unreadable, but clicking it allowed hackers to install two covert spyware programs on the municipal computers. These tools gave the attackers remote control of the workstations while remaining invisible to users, enabling them to move laterally across the network without detection. Once inside, the attackers monitored internal email traffic, harvesting the identities, email addresses, login credentials and client account codes of municipal staff and their business partners. The director general of services, Gwenaël Chauvel, later recounted that he had received the suspicious mail, had clicked the attachment despite his familiarity with digital tools, and had previously completed online training courses offered by the French national cybersecurity agency (ANSSI).
Using the gathered information, the hackers on 12 March 2025 attempted to place fraudulent purchase orders in the name of the commune. They sought 25 000 euros worth of telephone lines from Bouygues Telecom and more than 125 000 euros of computer and multimedia equipment from Lenovo. Both vendors became suspicious because the commune had recently renewed its telephone equipment and contacted the purported director general of services to verify the requests; the call exposed the identity spoofing and prevented the transactions from being completed. In parallel, the attackers tried to divert funds by sending genuine municipal invoices accompanied by forged requests to change the bank account details (RIB) attached to payments. As noted by Guillaume Chéreau, director of the regional cyber‑crime unit Breizh Cyber, once money is transferred there is only a 48‑hour window to intervene before the funds are moved overseas and become unrecoverable. The vigilance of the two companies and the prompt verification by the commune’s staff stopped the fraud before any money was transferred.
Following the failed attempts, the mairie of Merlevenez lodged a formal complaint for computer hacking, while the director general of services filed a separate complaint for identity theft. Local authorities, including the Morbihan prefecture and gendarmerie, reiterated their cyber‑risk prevention advice, with the most recent public notice issued on 24 March 2025 warning communes about similar threats. The incident highlighted the use of stealthy remote‑access malware and the fake‑RIB technique as prevalent tactics against public‑sector targets in Brittany.