Cyber Incident Victim: Bretagne Télécom

The incident involving Bretagne Télécom began when threat actors associated with the DoppelPaymer ransomware exploited the CVE-2019-19781 vulnerability in unpatched Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances. Attackers initiated scanning for vulnerable systems on January 8, 2020, with exploits becoming operational two days later. Citrix had not yet released permanent patches at this stage; remediation updates were ultimately published between January 19 and January 24. Bretagne Télécom’s servers remained exposed during this window, enabling DoppelPaymer operators to infiltrate one of the company’s server farms and deploy ransomware payloads during the first half of January. The intrusion occurred overnight, targeting 148 machines running Windows 7, Windows 8, and Windows 10 application servers that hosted data for approximately thirty small business customers. All compromised systems were rendered inoperable with data "completely encrypted," according to CEO Nicolas Boittin.

Bretagne Télécom avoided data loss or ransom payment by restoring encrypted systems from backup snapshots stored on Pure Storage FlashBlade arrays. The recovery process involved restarting each server individually without network connectivity, leveraging the arrays’ Rapid Restore capability and five days of retained backups. Restoration times varied significantly based on data volume: some customers resumed operations within six hours, while others required up to three consecutive days of recovery efforts. DoppelPaymer demanded 35 bitcoins (approximately $330,000) for decryption, which the company refused to pay. Attackers later claimed to BleepingComputer that minimal data exfiltration occurred due to a lack of "interesting" material, though Bretagne Télécom treated the event as a potential breach. The incident highlighted operational resilience through backups but underscored persistent risks from delayed patching of critical vulnerabilities.