Cyber Incident Victim: Elysée Cosmétiques

On Thursday, April 27, 2023, the European cosmetics manufacturing company Elysée Cosmétiques suffered a significant cyberattack. The attack targeted the company's central servers, which were based in Germany. This incident caused an immediate and complete halt to the company's operations, rendering its factory and production capabilities inoperable. The specific method of attack used by the threat actors was identified as ransomware, a type of malicious software designed to block access to a computer system or data until a sum of money is paid. The ransomware successfully blocked the company’s critical computer applications, which was the direct cause of the operational standstill.

Following the initial attack, the company's management, led by its general director Ramdane Mansoura, entered a state of crisis response. The company formally filed a complaint with law enforcement authorities. Olivier Glady, the public prosecutor in Sarreguemines, confirmed the filing of this complaint. The legal aspects of the case were also escalated to the Paris Prosecutor's Office, and the J3 Cybercrime section was contacted to assist with the investigation. The company's leadership attributed the attack to hackers believed to be operating from Russia, though no specific group was named in the available reports. The director general characterized the situation as a "cyber war," indicating the severity and persistent nature of the attack, noting in a statement on May 9th that "the attacks continue."

The primary impact of the incident was the total cessation of manufacturing activity. This production halt resulted in substantial financial damage for the company, which was estimated at 250,000 euros per day due to the interruption of production and the inability to fulfill orders. The operational paralysis also had an immediate and severe effect on the workforce. With the factory blocked and systems down, 300 employees at the company's Forbach location were placed on partial unemployment, technically known as short-time work, as there was no work for them to perform.

The response to the incident involved a significant digital forensic and information technology recovery effort. IT experts were engaged to meticulously comb through all of the company's data to assess the full scope of the compromise and to identify any potential data exfiltration or corruption. A parallel effort was undertaken to reconfigure the affected machines and systems from clean backups or from scratch to ensure they were free of malware. The company's stated goal was to restore operations in a degraded mode as soon as possible, indicating a prioritization of getting critical systems back online even if not at full functionality. A central point of the incident was the company's refusal to submit to the ransom demand issued by the attackers, a decision that likely prolonged the recovery period but avoided funding criminal activity. The ongoing nature of the attacks as of May 9th suggests that the threat actors continued their offensive efforts beyond the initial encryption event, potentially through follow-on attacks or persistent attempts to re-compromise systems during the recovery phase. The combination of the initial ransomware deployment, the continued attacks, the complete operational shutdown, and the substantial financial and human resource costs paints a picture of a severe and damaging cyber incident with lasting consequences for the business and its employees.