Cyber Incident Victim: Ministère de la Justice
Date:
Jan 2022
Location:
France
Summary
The French Ministry of Justice was targeted in a ransomware attack by LockBit 2.0 operators, who claimed to have stolen data and threatened public release unless demands were met. The ministry initiated an investigation and collaborated with relevant services to verify the breach, following alerts about compromised systems. Cybersecurity researchers attributed the breach to unsecured BIG-IP instances, likely exploiting a known remote command execution vulnerability previously patched. The incident aligned with prior audit findings highlighting cybersecurity weaknesses within the ministry. LockBit 2.0, known for leaking data from non-paying victims, had previously targeted major corporations, reflecting broader ransomware threats despite increased global law enforcement actions against such groups.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 27, 2022, threat actors using the LockBit 2.0 ransomware publicly claimed to have breached systems belonging to France’s Ministry of Justice. The attackers announced their compromise on a Tor-based leak website, threatening to release an unspecified volume of stolen ministry files on February 10 unless their demands were met. The ministry confirmed awareness of the incident and initiated an investigation, collaborating with unspecified specialized services to conduct verifications. Cybersecurity researcher Anis Haboubi identified unsecured BIG-IP instances as a likely attack vector, suggesting exploitation of CVE-2021-22986—a critical F5 vulnerability patched in March 2021 that permits unauthenticated remote code execution. The ministry did not disclose operational disruptions or confirm data exfiltration but acknowledged the alert through its press office.
The incident followed a Court of Audit report highlighting preexisting cybersecurity deficiencies within the ministry, as noted by journalist Emile Marzolf. LockBit 2.0 operators, known for previous attacks on Vestas and Accenture, maintained their pattern of threatening data leaks against non-paying victims. Global law enforcement pressure on ransomware groups had intensified prior to this attack, including Russia’s FSB arresting alleged REvil members, though LockBit’s operations continued unabated. The ministry’s public response remained limited to confirming investigative measures without detailing containment actions, system impacts, or data sensitivity. No further updates regarding the threatened February 10 leak deadline were disclosed in the available reporting.