Cyber Incident Victim: Grenoble INP
Date:
Dec 2022
Location:
France
Summary
Grenoble INP experienced a cybersecurity incident involving an intrusion into its servers, prompting the institution to disconnect its entire information system from external networks to protect student, staff, and partner data. Initial communications downplayed the event as "anomalies," but subsequent internal messaging confirmed unauthorized access and warned of potential account compromises affecting individuals who interacted with the institution's systems over a five-month period. External services like the main website and VMware Horizon portals became inaccessible, though some resources such as Zimbra remained operational. The organization engaged an external provider to investigate the breach but did not publicly attribute the incident to a specific threat actor or confirm data exfiltration. This disruption followed a similar ransomware attack on another French engineering school months earlier.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around December 1, 2022, Grenoble INP – UGA experienced disruptions initially described by its communications department as "anomalies" affecting its servers. The institution isolated multiple systems by disconnecting them from networks, including its primary website and VMware Horizon portal for Ense3, though some services like three Zimbra portals remained accessible. While the communications team initially downplayed the severity, stating there was "nothing dramatic," external sources including an internal message from Inria’s Security Operations Center (SOC) indicated a significant cyberattack involving compromised accounts. This message, circulated to Inria staff who had corresponded with Grenoble INP contacts, warned that interactions over the preceding five months—such as opening files, clicking links, using IT resources, or connecting devices to Grenoble INP’s network—could have led to account or device compromises. Affected individuals were advised to change passwords and report to Inria’s CERT.
By December 6, Grenoble INP’s administrator general, Pierre Benech, formally acknowledged an "intrusion into the servers" via an email to students, confirming the isolation of all servers to protect data belonging to students, staff, and partners. The institution engaged an unnamed external provider to investigate the anomalies but disclosed no technical specifics about the intrusion’s nature or origin. The incident caused prolonged service outages, with critical systems remaining offline days after initial detection. Inria’s alert highlighted broader supply-chain risks, suggesting potential lateral impacts beyond Grenoble INP. The communications department continued to refrain from characterizing the event as a cyberattack despite external assessments. This incident followed a September 2022 ransomware attack on Toulouse INP, which disrupted authentication systems and physical building access, though no direct link between the two events was established in available reporting. Grenoble INP provided no updates on data compromise or recovery timelines beyond its initial statements.