Most cyber incidents in France have unidentified origins

The European Repository of Cyber Incidents (EuRepoC) is an independent research consortium providing a database of cyber incidents worldwide, updated daily. The EuRepoC systematically collects, categorizes, and investigates publicly accessible information sourced from over 200 distinct channels. In this week’s chart, Surfshark’s research hub looks at cyber incidents targeting France since February 2023 — there were 64 cases (on average, three per month).

Key insights

• Around 83% of cyber incidents in France have no identified country of origin — 11 of the 64 cases were found to have been attributed to at least one origin country. For six of those, Russia was identified as the origin country of the initiators. One of the recent Russia-linked incidents was a cyber incident against several French government websites.¹ The DDoS attack disrupted the websites of the national police, National Institute of Statistics and Economic Studies (INSEE), and the websites of other public services. Russia has the highest ranking in the World Cybercrime Index (WCI), with a score of 58.39.²‘³ The Index is based on data gathered from a survey of 92 top cybercrime experts worldwide, all of whom are involved in gathering and investigating cybercrime intelligence. The other countries identified as origin countries of incident initiators against France were China, Iran, North Korea, Turkey, Bangladesh, and France itself.
• One incident stood out as the most intense, with an intensity score of 6 out of 15 (the average rating of all 64 incidents in France was 3). As the holidays kicked off in December 2023, French company Colipays was hit by a cyberattack.⁴ As a result, delivery addresses were altered, resulting in the delay and loss of shipments. This cyber incident is considered to be of significant political importance due to the widespread disruption of the critical service essential to the functioning of the affected societies.
• State institutions in France were affected by 35 of the 64 incidents. An example of this was targeting the Réunion des Musées Nationaux network, which included around 40 French museums during the Summer Olympics, with ransomware.⁵ The next most frequently affected sector was critical infrastructure, which was impacted by 30 incidents. For example, in June of 2024, an unknown threat actor compromised the data of French Geopost.⁶ France also saw incidents affecting corporate, education, science entities, media, social groups, and international/supranational organizations.
• The most common type of incident was hijacking with misuse (when an unauthorized actor gained privileged access to a system and then caused other issues). For example, in May of 2024, unknown hackers gained access to the X account of the French sports minister Amélie Oudéa-Castéra on May 10, 2024, who is responsible for organizing this year's Summer Olympics. Her account was then used to send phishing messages.⁷ Other incident types seen since February 2023 were disruption, data theft, ransomware, data theft & doxing.

Methodology and sources

Data on cyber incidents in France (between February 1, 2023, and August 27, 2024) was collected from the European Repository of Cyber Incidents on August 27, 2024. The sampled time frame was chosen to ensure that EuRepoC’s data collection is standardized for the analyzed period, given that they made a change in data collection starting February of 2023.⁸ Data was aggregated per month, wherein intensity scores were averaged across all monthly incidents, also origin countries were noted. The number of times specific sectors were targeted and how many incidents of each type of each incident were calculated as well.

As reported by the European Repository of Cyber Incidents, certain incidents can be updated as more information becomes available. For example, cases where the threat actor or initiating country is currently unknown can be updated as investigations conclude and information becomes public.

Note on data: A single incident can affect several sectors (e.g., in exploiting a specific software vulnerability, nefarious actors can use the same attack on several entities if these use the same software), and a single incident can have several types (e.g., hijacking with misuse can coexist with data theft).

Data was collected from:

References: