COMMENTARY: On Dec. 22, while millions of French citizens were tracking their Christmas packages, the
La Poste website for France’s national postal service went dark.
The mobile app stopped working. The digital identity service went offline. Banking customers found themselves locked out of online accounts.
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
Just a few days before Christmas, France's La Poste became the latest casualty in a sustained cyber campaign that most people never heard of before.
The attack wasn't sophisticated. It didn't require a zero-day exploit or nation-state level resources. It was a distributed-denial-of-service (DDos) attack, the digital equivalent of a mob blocking a store entrance so no one can get in. The timing, the targeting, and what came next made it significant.
This wasn't random
Within hours of the La Poste disruption, a pro-Russian hacktivist group called
NoName057(16) claimed responsibility on their Telegram channel. They posted screenshots of downed services. They shared
check-host.net verification links proving their targets were offline. They used hashtags like #OpFrance, #TimeOfRetribution, and #F**kEastwood, a reference to the international law enforcement operation trying to disrupt them.
The same day, they claimed attacks on the Rennes Metro, Angers Tramway, French airports, the national road safety agency, and multiple portals belonging to EDF, France's primary energy company. This was a coordinated campaign, not a single attack.
But the part that should concern infrastructure operators goes beyond DDoS. A related group,
Z-Pentest Alliance, posted video evidence claiming they had accessed the control systems of two French
water treatment plants. They named the facilities. They showed what were apparently SCADA interfaces. They listed the functions they could allegedly control, including pumps, mixers, tank levels, reagent dosing, and pH monitoring.
If those claims are accurate, we're looking at a significant escalation. DDoS attacks are disruptive. Unauthorized access to water treatment controls is dangerous.
A clear pattern has been set
NoName057(16) has been active since 2022, targeting NATO countries that support Ukraine: Denmark, Romania, Finland, Italy, Poland, and now France. The Danish government formally attributed attacks on their infrastructure to this group just days before the French campaign began. They called it hybrid warfare.
The group doesn't hide their motivation. They have an explicit goal: Punish countries that support Ukraine. Create instability. Make citizens lose confidence in their government's ability to protect basic services.
These attacks are deliberate in terms of their timing. The hacktivists hit Danish websites during municipal elections. They hit the Romanian government sites during a presidential campaign. They hit France's postal service at the peak of holiday shipping season. Maximum visibility. Maximum disruption. Maximum headlines.
What this means for critical infrastructure
For organizations running essential services, the lesson isn't complicated. If a country belongs to NATO and supports Ukraine, they should assume they are a target.
DDoS mitigation has become table stakes, Organizations that don't have it are leaving the front door open. But the water treatment claims suggest the threat goes deeper. Remote access to operational technology systems represents a liability if it isn't properly segmented and monitored. Industrial control systems that were designed for reliability, not security, are exactly what groups like Z-Pentest hunt for.
The attackers aren't subtle about their reconnaissance. They publish target lists. They share verification links. They celebrate when services go down. That visibility cuts both ways. Organizations can monitor these channels and see threats forming before they arrive.
The big picture
We're living in an era where geopolitics and cybersecurity are inseparable. A policy decision in Paris about military aid creates targeting lists in Telegram channels hours later. Critical infrastructure operators have become nodes in a global conflict, whether they signed up for it or not.
France had a rough December. The Interior Ministry was breached. A suspect was arrested. La Poste went down. Water utilities were reportedly compromised. Each incident individually looks manageable. Together, they paint a picture of sustained pressure on the institutions that French citizens depend on.
The attackers understand something that defenders sometimes forget. Data theft and ransom aren't the goal here. The attackers aim to erode trust. Erode confidence. Erode the sense that the systems we rely on will run properly when we need them.
The sobering news for defenders: These continued attacks won’t stop when the Christmas packages finally arrive.
Michael Bell, co-founder and CEO, Suzu LabsSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
