“A cyber attack isn’t a malfunction. It’s a robbery.”

How did you discover that Coaxis was under attack?

Joseph Veigas: At 5 a.m., the on-call service contacted me: part of the infrastructure was no longer visible. At first we thought it was an outage. But very quickly, when I arrived on site, I understood it was a cyberattack. And then imagine our shock when we realized the attacker was Lockbit, one of the most dangerous cybercriminal groups in the world, known for targeting organizations in defense or intelligence. It was overwhelming. You have to ask yourself: why us? We’re just doing our job, operating quietly in the region.

You were used to countering attacks. What made this one different? 

J.V.: That’s right, this wasn’t the first attack. Security issues are extremely prevalent in our line of work, as they are for most players in the digital sector. Almost daily we detect attempted attacks in different forms, ranging from DDoS attacks (editor’s note: distributed denial-of-service) to far more insidious tactics. 
That day, what was different was the precision planning of the attack. They impersonated an employee of one of our customers, acted under the radar and tested our defenses. And when they realized they couldn’t access our backups and found themselves blocked by our firewalls, they launched a cryptolocker that encrypted 24% of our servers before we were able to block everything during the night of 8th to the 9th. Then they sent us a ransom demand file, a $5 million ransomware demand. It was methodical, violent and perfectly executed.

(Ransomware = malicious software that encrypts data and demands a ransom. Cryptolocker = encryption-based blocking.)

What was the immediate impact for your customers?

J.V.: Our role is well known: we host the data of thousands of companies, including many accounting firms. Their information systems became unavailable. The first customers were able to restore their systems within eight days, the last within a month. For an SME like ours, that’s a catastrophic scenario. We knew it would be extremely difficult for them, and that’s also part of the shock: you immediately grasp the scale of it. Where experts were predicting two to three months of work, it took just one month to rebuild 25 years of information systems.

You described the intense psychological violence. How did you experience that? 

J.V.: A cyberattack is a violent act that affects our infrastructure, but it also affects us, our employees, our customers and our customers’ employees. It took me eighteen months to get back to sleeping normally. We didn’t have guns pointed at us, but it felt very much the same.
What affected me the most was seeing years of work suddenly put to the test. We had always taken care to support our customers on these issues in an ongoing and professional way. We felt that we were doing our job well, that we had steadily strengthened our security as cyber threats evolved. We didn’t imagine we could become victims of such an attack when we were this prepared.

How do you organize the response to an attack of this scale? 

J.V.: At 8 a.m. on the day of the attack, we activated the crisis response team with Orange Cyberdefense. By noon, a ‘clean zone’ was already being built: new, isolated servers where we could rebuild without any risk of contamination. Every department was mobilized: technical teams, sales, HR, legal and communications. Some employees stayed on site for more than 24 hours to help rebuild the systems. We had to manage the human side as much as the technical side.

What did Orange Cyberdefense contribute to the rebuilding process? 

J.V.: They worked with us as if they were part of the company. We had to bring the system back up quickly but without skipping steps, otherwise we might overlook a vulnerability, for example. And with Orange Cyberdefense, we were able to rely on the guidance of their teams to make the right decisions. The result: no customer data was exfiltrated. Their digital assets were protected. And that’s what counts – the cybercriminals did not achieve their objective.

What lessons have you learned from this attack?

J.V.: We have further strengthened our cybersecurity policy, but I don’t want to suggest that it wasn’t taken seriously before. What has changed is the speed: sometimes only a few hours pass between the discovery of a vulnerability and its exploitation. We have to be able to react immediately, even if that means disconnecting certain equipment.

What message would you like to share with SME leaders? 

J.V.: These issues must be addressed in a factual and realistic way. Reasoning such as ‘My company is too small to be attacked’ or ‘We’ve never had a problem until now’ no longer holds up. Today, no company can function normally if its information system is taken offline. You have to be prepared and anticipate. And above all understand that this is not over: the scenarios are constantly evolving.