Cyber Incident Victim: Ville de Saint-Nazaire
Date:
Apr 2024
Location:
France
Summary
A cyberattack disrupted municipal operations in Saint-Nazaire, targeting the city administration, its agglomeration authority, and the regional development agency Sonadev. The incident, involving a crypto-virus resembling a prior attack on Angers, forced staff to halt computer and email use while IT teams worked to secure systems with support from Orange Cyberdefense and France's ANSSI. Critical services including birth/death registrations, library loans, urbanism applications, and financial aid processing were degraded or shifted to manual workflows, with temporary emergency phone lines established for utilities and social services. Authorities notified CNIL and filed a criminal complaint, though data exfiltration remains unconfirmed. Service restoration timelines are pending as diagnostics continue.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cyberattack targeting the Ville de Saint-Nazaire, Saint-Nazaire Agglomération, and the Sonadev agency was first detected on the morning of April 10, 2024, though subsequent analysis indicated the intrusion likely began on April 9. Employees arriving for work on April 10 received immediate instructions not to power on computers or access email via mobile devices due to suspected network compromise. A crisis management unit activated that morning coordinated diagnostic efforts led by the IT department to assess infection scope. Initial impacts included the forced shutdown of all standard IT systems across municipal offices, libraries, and the territorial development agency, with mediathèques specifically confirmed as affected. By April 12, authorities characterized the incident as an unprecedented large-scale cryptovirus attack resembling the 2021 Angers municipality breach, though attribution remained unconfirmed.
Response protocols prioritized system isolation and manual service continuity. Staff shifted to paper-based workflows and personal smartphones unaffected by the attack, maintaining public access to town halls, annex offices, and service counters. Critical infrastructure received emergency contact numbers for water supply, sanitation, road hazards, and social services, though online reporting portals ceased processing submissions dated after April 9. Service disruptions included suspended library loans, canceled bibliobus routes, delayed civil registry processing, halted electronic funds transfers for social aid, and restricted urbanism permit applications to physical submissions. External cybersecurity teams from Orange Cyberdefense and France’s National Agency for Information Systems Security (ANSSI) deployed onsite to assist containment and forensic analysis. Legal measures progressed with a criminal complaint filed through the Paris prosecutor’s office, a gendarmerie cybercrime unit in Rennes assuming investigative control, and mandatory breach notifications submitted to the CNIL data protection authority. Municipal leadership confirmed meal services for schools and daycare centers would operate uninterrupted for three weeks through preemptive contingency planning, while public advisories warned residents about potential data theft risks despite lacking confirmation of exfiltrated personal information. Restoration timelines remained undefined as of April 12, with email systems, internal servers, and main phone lines still inoperative during ongoing recovery efforts.