Real-time ransomware, I experienced a simulated cyberattack against a French telecom giant – Clubic

Ransomware cyberattack, decisions under pressure, and crisis communication.

At the FIC, we experienced the real-time management of a ransomware attack against a telecom operator, in an exciting crisis exercise organized by Alcyconie.

Ransomware cyberattack, decisions under pressure, and crisis communication. On Wednesday, April 2 at the FIC, at the invitation of Alcyconie, a French company specializing in cyber crisis management, I attended, and this is extremely rare for a media, an exercise in accelerated version (1h30) simulating the compromise of “Connectis”, a large French and European telecommunications operator that is totally fictitious, in which real cyber experts were able to take part.

The objective? Immerse participants in the mechanisms of a crisis team confronted with ransomware (or ransomware), while the NIS2 directive, which is more restrictive for companies, has just come into force. You will only see a few images of this exercise, know that it is voluntary. I am trying to protect Alcyconia’s work, as well as the participants in the exercise, some of whom were CISOs, lawyers and others.

Everything is designed to take care of the simulation of the cyberattack, right down to the application environment

It’s the very beginning of the afternoon, everyone is settling in. On my table, I have on my right the screenwriter of a famous French series, who came at the end curious. Opposite, a representative of the Cyber Campus, and not far from there, an investigator from the J3 prosecutor’s office, the cybercrime section of the Paris prosecutor’s office. Then to my left is Stéphanie Ledoux, the founder of Alcyconia, who welcomes the participants with a microphone in hand and explains what she expects from the “players” of this simulation.

” The crisis, for many, is me rolling up my sleeves and getting my hands dirty. What we expect from the strategic units is to make decisions. Each participant receives a card with their role (CISO, HR Director, General Counsel, CIO, communicator and others), and their credentials to access the simulation.

The staging is neat. On each of the four tables filled with experts, two mobile phones ring constantly, which creates a tense atmosphere. No one thinks of turning off the bell in the first few minutes.

A very nice aspect is that the application environment of the simulation faithfully reproduces that of our everyday lives. There are “Emails”, “Pims” (the equivalent of Teams), the social networks “Y” (for X) and “Instarm” (you have it, this one), in addition to the news feed mixing real articles and fictitious content related to the attack. The “Documents” application was also created, as was the “Directory”, an obligation of NIS2 for crisis contacts; and “Main Courant”. The latter is the equivalent of the logbook, the place where everything that happens in the event is traced.

The first phase, that of the first breakdowns and the first reports

2:15 p.m.: In our scenario, the participants discover that Connectis’ central business software has been paralyzed for more than an hour. At this stage, it affects the management of customer subscriptions and invoicing. ” In a cyber crisis, decision-making is of a rare complexity. You are asked to decide when faced with a situation that your brain is struggling to integrate, within a very tight deadline and without concrete elements ,” explains Stéphanie Ledoux.

At 3:12 p.m., the “htf-t” message arrived, received by the Connectis teams. The tension rises a notch. Players multiply the exchanges on the different channels and check the simulated social networks a little nervously, looking for clues.

And indeed, on the Y platform, reports arrive, as is regularly the case when a company says it is experiencing an outage. Real-fake Internet users complain about Y that they can no longer access their Connectis services, which will count for the future.

Faced with ransomware, pressure is mounting in the crisis unit

At 3:26 p.m., an information bomb falls. A ransom note from the Medusa group (which actually exists) arrives by e-mail and in PDF at Connectis. ” Cybercriminals say they are acting in good faith and giving the data back to the company ,” comments Stéphanie Ledoux. ” They have adopted the codes of marketing and even give guarantees in the event of payment.” I am struck by the professionalism and realism of the hackers’ note, far from the image of the famous black screens with a skull and crossbones often conveyed.

On the note, the cybercriminal group says it has penetrated the operator’s network and copied the data. He also says that he has quantified them.

It is 3:27 p.m., the time of the first critical decision: the network shutdown is decided to contain the attack. A heavy decision for a telecom operator. Faces tense and discussions intensify. ” In a real crisis, if someone tries to reach you and it doesn’t go through the door, they will go through the window ,” adds Stéphanie Ledoux, to feed the tension of the moment a little more.

From my vantage point, I see the participants struggling, with smiles that give way to concentration. A CISO frantically tries to reach his technical teams, while a legal director consults the declaration form to the CNEL, the fictitious equivalent of the CNIL, the data watchdog. On a screen, a fictitious press article already announces the cyberattack, with worrying details.

At 3:35 p.m., the legal department sends a link to report the incident to the CNEL. Some DPOs (data protection officers) are hesitant, unfamiliar with this form. ” Companies are often afraid to declare to the authorities, even though it’s in their interest ,” Stephanie tells me.

The new legal obligations come into play

It should be remembered that this simulation is part of the context of the NIS2 directive, a major regulatory framework for cybersecurity. “Tomorrow, organizations will have to have crisis management systems and a cross-functional policy,” explains Ryan Le Calloch, a lawyer at Alcyconie. “We will have to identify who should be around the table, produce reflex sheets, create a crisis directory.”

But back to our simulation. At 3:40 p.m., the call to the ANSSI, the French cyber agency, was made. The “handrail” (logbook) was finally activated, but late. ” In 60 to 70% of cases, no one thinks of it spontaneously ,” observes the founder of Alcyconia. However, this documentation is becoming crucial for insurance and legal proceedings.

The exercise allows us to experiment with these new obligations: we have the declaration form to the CNEL (CNIL), the rapid notification, the meticulous documentation. “In some exercises, we even bring in uniformed gendarmes so that the legal directors can practice filing complaints,” adds Stéphanie Ledoux. This is an essential dimension when you know that without filing a complaint, insurance cannot generally be triggered.

Human Responses to the Crisis That Is Coming to an End

It is 3:50 p.m., and the HR Director of Connectis decides to communicate to the employees. ” Due to an incident, we have to cut off access to our computer system. Switch to the mobile network to operate in degraded mode .” The term “incident” rather than “cyberattack” is debated in my house. I note that even in these simulations, companies are reluctant to use direct terms. Probably so as not to reinforce the state of panic unconscious of the situation.

What is also surprising during the exercise is the pressure behaviour of the participants. Some become hyper-active, others freeze. ” In a real crisis, we saw a CFO who, while everything was collapsing, started to validate his team’s leave. It was her way of staying in her comfort zone ,” says Stéphanie Ledoux.

Are profiles in more difficulty in a crisis situation? ” Yes, lawyers, who are asked to reason very quickly on a subject that is often not theirs, and communicators, who must formulate technically accurate and understandable messages ,” observes the founder of Alcyconia.

At the end of the exercise, after the rather brilliant release of a fictitious press release in barely an hour, a participant confided: ” We leave with very little information. It’s very hard to tell yourself that you’re in crisis but that you don’t have any information to tell .” An essential lesson according to Stéphanie Ledoux: ” Speed does not mean rush. Being reactive does not mean making decisions in a hurry without analysing the situation .”

We will not have a better conclusion. I hope you enjoyed sharing this beautiful cyber experience, almost of life, I would say.

Article written by Alexandre Boero for Clubic.