Affected since Thursday by a vast cyber attack by "ransomware", Bouygues Construction is in turmoil. The construction giant's IT teams are always mobilized, facing a completely new attack from a tactical, technical… and financial point of view. The hackers encrypted the data after having stolen it and will only make it accessible in exchange for a large sum of money. But, what is new, they are not just paralyzing the business to get their way, they are threatening to publicly disclose the data.
This extortion attempt at a level never seen before in France raises several questions.
What is Maze ransomware?
Appeared on the radars of cybersecurity specialists in May 2019, this ransomware has been talked about in several large-scale cyberattacks, and something to worry about. "He is part of a new generation that targets businesses much more precisely in a logic of Big Game Hunting , that is to say hunting big game," said Jean-Christophe Vitu, cybersecurity expert at CyberArk. "The different groups that use it or rent it out to subcontractors call on technical skills and tools previously reserved for state attacks," he warns.
The infection is done in three stages. First, cybercriminals enter the system via unfortunately conventional methods such as phishing (phishing) by posing, in an email, for an administration for example. Once entered, they take the time to map the entire infrastructure and recover passwords that open access to other parts such as servers. When they have gone around, they discreetly exfiltrate the data into their own storage spaces and encrypt, that is to say, make unreadable, what they leave behind.
In the wake of Maze, the ransomware Sodinokibi and Nemty are also increasingly used. They happily copy the tactics of hackers once they have siphoned off the precious data.
What do pirates do with their loot?
Difficult to attribute the cyber attack to a particular group as the teams fluctuate and cultivate secrecy. The main operator of the Maze ransomware is a group called TA2101 by the cybersecurity company ProofPoint.
Like hunters, hackers exhibit their hunting trophies on their website - the address of which we will not mention. A section dedicated to Bouygues Construction appeared on Friday to demand action…
They had already posted their feats of arms last year with data from the American cable production company Southwire or the city of Pensacola in Florida.
Newsletter - The essentials of the news
Every morning, the news seen by Le ParisienI'm registering
Your email address is collected by Le Parisien to allow you to receive our news and commercial offers. Find out more
"The operating mode of the group which uses Maze is always to publicly name their victim and if that does not convince the company to pay the ransom, they publish part of the stolen data as proof of their booty by threatening to reveal the rest", says Brett Callow, threats analyst at Emisoft, a cybersecurity company specializing in the fight against ransomware.
A quick visit to the site - not recommended because of the risk of phishing - shows the extent of pirated servers that are installed from all over the world.
"It is the equivalent of a kidnapper who sends a piece of a finger and if the target does not pay, they do not hesitate to publish the stolen data," he said.
"They often choose hacker forums or sites that are easily accessible to everyone, including the competition, to show that they are going after their threats," added another expert who is regularly in contact with hackers.
How is Bouygues Telecom handling the situation?
"The equipment is gradually returned to service after being tested," insists the construction group since last Friday. The technical teams were still busy this Monday to restore the computer system with the help of outside specialists.
But if the construction sites on the ground turn normally, and if the employees can again go to the Challenger headquarters in Guyancourt (Yvelines), the activity is logically slowed down in all the branches of the international company.
"On the construction site, we manage with our partners to advance the work but we still do not have access to our emails or internal software," says an employee abroad.
“We still don't have internet access, we do everything by phone. There is no official communication to tell us how long it will last ”, impatient another employee of the head office. And to add: "Looking at the previous similar attacks like in Saint-Gobain or Auchan, we are talking among ourselves about several weeks in this configuration there".