Turn your crisis
in Opportunity
to elevate your Brand

with an experienced partner in

Crisis Communication Resilient Communication
crisis communication, crisis management, cyberattack, thales

Categories:

case studyEnglish

A cyberattack is obviously a crisis, right? What we call a cyber-crisis that could help to underline the crucial importance of well-preparing a crisis communication strategy and plan.

Funny enough, when the topic of cybersecurity comes up, we frequently think of technology, and we certainly need it! Cyberattacks jeopardise our vital data.

☝🏻️But let’s not forget that people use technology, whether they are employees, customers, suppliers, partners, and so on. All those players are connected via technology, enabling communication. Without it, no sales, no purchases, no partnerships, no relationships.

Thus, you will agree with me to say that during a cyberattack, it’s a crucial to protecting communication between all these stakeholders. Possibly much more in the age of IA.

Safeguarding the means of communication is all very well.
Safeguarding the narrative and the mechanics of communication is much better.

👉🏻 Let me please share with you an example of an effective #cybercrisis #communication management with Thalès case. It demonstrates the importance of being well-prepared and how this preparation can either mitigate the impact of a crisis.

In a later article, I’ll provide an example of poorly prepared crisis communication management and how it exacerbates the effects of the #cyberattack.

The cyberattack – the facts

2022, October 31st 7:00 am, eve of a long weekend in France with the 1 November bank holiday.

A message by the Russian organisation Lockbit 3.0 is detected in the Darknet saying that Thalès is not protecting its data properly, as they are in possession of certain data. The message is accompanied by a brief description of the type of files (technical and financial data). No data samples are given to show what they have. Simply a veiled threat: ‘If you work with them, contact us to prove it to you’, plus a 7-day timer to react with three greyed-out – and therefore inactive – buttons: pay, negotiate the delay, refuse.

Reaction 1 – Activate crisis mode

In other words, activate the crisis plan drawn up a year earlier and build the crisis unit. Objective: check that it is indeed ransomware and, if so, find out what is in their hands.

The team launches the procedure for collecting compromise markers, scanning infrastructure vulnerabilities worldwide and the entire corporate ecosystem for comparison with the vulnerabilities that Lockbit is used to attacking.

A few hours after the scan was launched, the news went viral, not only among specialist journalists but also customers, suppliers, partners and government regulators. They have been alerted by notifications from cyber intelligence companies, to which they subscribe, that Thalès is being targeted by Lockbit. The phone kept ringing.

24 hours later – 6 days left

On 1 November, 24 hours later, an analysis of the systems revealed no compromise across the entire fleet, including subsidiaries and in all countries.

As a result, doubts began to creep in about the ransomware, especially as no ransom message had been received from LockBit, who had not even left a means of contacting them anywhere, which is rare in case of ransomware. But it would have made no difference. In France, the custom is to never pay a ransom.

The only solution for the cybersecurity team is to search for the data that could potentially have been stolen. Thalès is enlisting the help of #DarknetScrubbing companies. Depending on the results, they will be able to inform the appropriate parties (customers, suppliers, partners) in due form within the timeframe imposed by LockBit.

Time limit expired

The 7 days are up. The stress is at its peak. A message is published on the Darknet: ‘The deadline has passed and the data has been released’. Only… no data was published. Big Flop.

But the crisis unit remained on alert, and rightly so.

Last Episode

On 10 November, the timer went back into action, saying that 1 hour later, the files would be released. The frontend and backend were being monitored like milk from the cows. In the frontend, no files. In the backend, yes.

They download the files in encrypted mode. By analysing the data revealed, it takes them 1 hour to identify the source of the leak. This is a collaboration server in the extranet zone for exchanging files with partners. This is a directory with a partner in Malaysia concerning product installation and acceptance. No illegitimate access was noted on the Thales side.

The team decided to go back in time to before 31 October. On 26 September, they identified two Thalès accounts compromised by the hacking of the credentials of the partner concerned. Going back a little further in the archives, they noted in mid-August that three accounts were circulating for sale on the darknet, and that these would be exploited on 26 September. The Thales credentials were rejected, but not the partner’s. The login credentials were stolen and only gave access to the partner’s data.

Conclusion

This was not a real cyber attack, but this alert highlighted the importance of good crisis communication management with the media, customers, suppliers and partners.

TOP

crisis management, crisis recovery, cyberattack, crisis team, marketing, communication

Proactive and transparent Communication

The only solution in the hands of the crisis management team was to warn all the players in the Thalès ecosystem that a data leak had been declared by LockBit.

The watchwords for communication: COHERENCE, TRANSPARENCY, SERENITY, and REGULAR INFORMATION.

📩Internal Communication📱

Thalès notified its staff right away, being cautious not to inspire fear. The group’s staff members (nearly 90,000 people worldwide) were routinely updated on any developments in the circumstance along with a kind reminder of proper conduct.

As a hotline, secure internal routes were used for communication, avoiding insecure or potentially compromised technologies like email. A dedicated intranet and the Cybels suite, specifically Cryptosmart, a secure mobile communications solution created in collaboration with Samsung that offers military-grade message encryption, was utilised by the crisis communications team. In order to safeguard internal data transfers throughout the crisis, Thales also implemented CipherTrust, a data security platform that encrypts critical data while it’s in transit and at rest.

📢External Communication 📰

All parties involved were promptly informed about LockBit news by Thalès that acknowledged the facts, stating that the integrity of its critical systems had not been compromised, the essential functions being not affected at all and that robust measures were being implemented to prevent future incidents.

It goes without saying that the information provoked mini-crises, the crisis communications managers had to manage.

Communication took place via multiple channels.

  • Press releases and interviews with the media (Reuters, Breaking Defense, etc.).
  • Secure portals for partners and suppliers with access to exchange information and documents.
  • Secure video conferencing and encrypted emails/messages using Cybels solutions for personalised communications. A sort of Hotline to answer questions.

As a result, the majority of customers maintained their confidence in Thales. No contracts were terminated, and no complaints were lodged. Only one customer, informed by the press, demanded IOCs – Indicators of Compromissions – even though Thalès had not found any. Stéphane Lenco communicated what he had and the problem stopped there.

Some suppliers suspended SLAs without warning and without any way of being contacted to protect their infrastructures. These case were treated in the post-crisis review.

TOP

Discover Oz’n’gO Expertise in

Crisis Communication
Resilient Communication
Cyber war games, cyber simulations, crisis management, marketing, communication, crisis management

PREPARATION ON SEVERAL LEVELS

Stéphane Lenco, Thales CISO, had put in place a crisis management plan the year before with clearly defined incident response procedures and an escalation framework, based on the analysis of potential cyber threats. Profiles had been identified to group immediately the crisis management team.

A dedicated Crisis Team

Thales set up a crisis communication team (CMT), made up of members of the company’s crucial departments, who worked with in-house cybersecurity experts.

Objectives & Responsibilities

  • Increase the security of systems/procedures in the face of the identified threats
  • Implement appropriate and secure communication channels
  • Prepare internal and external communication tools
  • Improve internal information and communication flows with all stakeholders

At the time of the LockBit crisis, the objectives were:

  1. ensure all the security procedures were in place and fully respected
  2. check the potential source of the information leak and identify the type of information that has been leaked
  3. make sure you have as much information as possible, so as not to miss out on any important information
  4. answer potential questions in good time, transparently and factually, to avoid rumours and misinformation that could possibly damage the company’s reputation

Proactive employee training

Raising awareness

It was important to teach employees about the principles of cyberattack and cybersecurity. Types of cyber attacks. Best practices. Advice on security protocols. Internal rules. Information on laws, etc.

Simulations

The law recommends one simulation exercise per year, like fire drills actually. A simulation is based on a defined crisis scenarios. It helps to identify the strengths and weaknesses of the organisation from a technical and human perspective. This is what Thalès has applied.

TOP

Need to prepare your crisis communications?

Contact us
Schedule a Call
crisis communication, benefits, team, cohesion

4 POWERFUL BENEFITS

1 – Cohesion & Pride

Having been prepared and briefed, the employees reacted as One, following instructions scrupulously. By being kept regularly informed of developments, they felt valued and protected by their employer.

2 – Reputation & Loyalty

Thanks to regular, transparent communication, customers, suppliers and partners have never lost trust in Thales, despite their fear that their data might be published. This trust increased their loyalty to Thales.

3 – Compliance Reinforced

Some cyber procedures are subject to GDPR, DORA and NIS-2 EU regu-lation. Swiss authorities impose companies to respect nLPD and report a cyberattack with the CSO.

4 – Image of a Leader

Thales has clearly demonstrated the power of well-prepared communications to overcome a crisis with moderate impact. Its plan and strategy are an example to be followed, not only in their industry but by all potential victims of a cyber-attack or crisis.

TOP

6 KEY LEARNING POINTS

Of course, not every business has the same technological and financial capabilities as Thales, but SMEs, town halls, trustees, chartered accountants, clinics, and other organisations can nevertheless apply some of the lessons learned from this experience.

1 – Transparency builds trust

Being honest from the outset, even with bad news, helps to maintain trust. Organisations need to recognise the attack quickly and provide regular updates on their response efforts.

2 – Messages prepared in advance = narrative under control

Having ready-to-use communication templates and statements allows you to respond quickly to master the narrative and avoid delays that could damage/kill credibility. Advance preparation enables to be one-step ahead the domino events of the cyber attack.

3 – Your reputation is in the hands of all your stakeholders

Engaging both internal stakeholders (such as employees and management) and external stakeholders (customers, partners, suppliers, investors, etc.) is essential. This approach ensures that everyone receives the right message, avoiding the spread of misinformation.

4 – Simulating communication during crisis exercises

Organisations need to practise not only the technical response to a cyber attack, but also how their communications teams will react. By including communication in crisis simulation exercises, teams can be better prepared for real-life scenarios.

5 – A post-crisis review is critical

Analysing what worked well and what didn’t is essential for future resilience, whether it is to sssess the effectiveness of the communication, response time, and the tools used. Any gaps in the plan must be documented to develop actionable steps to address them. Doing this job with all stakeholders helps to be better prepared for future incidents and build stronger trust in the ecosystem.

6 – 3rd Parties must be involved

suppliers, partners, and service providers often play key roles in the operations and can help contain the impact of a cyber incident. Establish clear protocols for updating third parties, outlining how and when they will receive information. By keeping them informed, you enhance transparency, reduce the risk of misinformation, and ensure they’re aligned with your recovery efforts.

#cybersecurity #crisismanagement #ransomware #thales #cybels #cryptography #cryptosmart #cipherTrust #digitaltrust #cyberpreparedness

This article is based on online research and a podcast in French, in which Stéphane Lenco CISO at Thalès, tells us about his experience.

TOP

Tags:

No Tag

No responses yet

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You cannot copy content of this page

Need Help?
Verified by MonsterInsights