Attack alert: qilin targets GROUPE ETMB - FR

Introduction

The Qilin ransomware group struck GROUPE ETMB, a French construction company employing between 250 and 500 people, on December 11, 2025. This breach, classified as SIGNAL level according to our XC-Classify system, affected a construction company founded in 1963, specializing in public works and civil engineering, with a turnover of €50 million. The incident potentially exposes sensitive data related to the organization's infrastructure projects, finances, and human resources. This attack is part of Qilin's aggressive strategy. Operating under a Ransomware-as-a-Service (RaaS) model, the group has been increasing its attacks against French companies in recent months.

The cybercriminal collective Qilin, also known as Agenda, has established itself as a major player in the ransomware landscape by 2025. Active for several years, this group employs a particularly formidable Ransomware-as-a-Service (RaaS) model: it provides its malicious infrastructure to affiliates who carry out intrusions, then shares the ransoms obtained. This decentralized approach allows Qilin to target multiple victims simultaneously, with each affiliate targeting diverse sectors and geographic locations. The group's modus operandi favors double extortion: encrypting systems AND pre-exfiltrating sensitive data, maximizing pressure on compromised organizations. Attack techniques combine the exploitation of unpatched vulnerabilities, sophisticated phishing campaigns, and the compromise of privileged accounts. → Full analysis of the Qilin group reveals that the collective has targeted hundreds of entities worldwide, favoring sectors with high financial resources such as healthcare, manufacturing, and now construction. Qilin's increasing professionalism is evidenced by shorter exfiltration times, scalable technical infrastructure, and increasingly aggressive ransomware communication on dedicated leak sites.

Analyse détaillée

ETMB GROUP is an established player in the French construction industry, boasting over six decades of experience in public works and civil engineering. Founded in 1963, the company has grown to employ between 250 and 500 people today, generating annual revenue of €50 million. Based in France, the organization works on critical infrastructure projects requiring technical expertise and sensitive data management. Its portfolio includes roadworks, sanitation, network, and civil engineering projects, involving the daily handling of highly confidential contractual, financial, and technical information. The nature of GROUPE ETMB's activities generates data that is particularly attractive to cybercriminals: public infrastructure plans, contracts with local authorities, financial bid data, and HR information for hundreds of employees and subcontractors. → Other attacks in the Construction sector shows that construction companies face specific risks related to their extensive supply chains and the multiple third-party access points to their systems. The compromise of GROUPE ETMB could affect not only the company itself, but also its public clients, private partners, and its entire contractual ecosystem.

Our analysis of the certified data classifies this attack at the SIGNAL level according to the XC-Classify system, indicating a detected compromise, but whose exact extent is still being assessed. This level of vulnerability suggests that the attackers established a presence within GROUPE ETMB's infrastructure and potentially exfiltrated information, although the total volume or maximum criticality has not yet been fully quantified. The exposed data likely falls into three main categories: infrastructure projects (technical plans, feasibility studies, specifications), financial information (accounting, cash flow, customer and supplier invoices), and human resources (employment contracts, payroll, employee personal data). An examination of the available metadata suggests an intrusion that occurred in early December 2025, with the victim posting on the Qilin leak site on December 11. The typical Qilin operational timeline indicates an initial reconnaissance phase lasting several weeks, followed by a rapid privilege escalation and massive exfiltration before encryption was deployed. For a company of this size, the volume of compromised data could reach several tens of gigabytes, encompassing file servers, business databases, and corporate email systems. → Understanding XC Criticality Levels helps us understand that the SIGNAL level, while less critical than PARTIAL or FULL, still represents a serious incident requiring an immediate response and thorough forensic analysis.

The construction sector in France faces increasing cybersecurity risks, amplified by the accelerated digitization of business processes and the interconnectedness of stakeholders. Construction companies handle strategic information on national infrastructure, attracting the attention of ransomware groups seeking to maximize financial pressure. French regulations require victim organizations to notify the CNIL (French Data Protection Authority) in the event of a personal data breach within 72 hours, an obligation reinforced by the European GDPR. For GROUPE ETMB, the compromise of HR information for hundreds of employees automatically triggers this notification obligation, with the risk of administrative penalties for non-compliance. Beyond the GDPR, the NIS2 directive, currently being transposed into French law, could soon classify certain construction companies as operators of essential services, imposing stricter cybersecurity requirements and obligations to report incidents to sector authorities. Past experience in the sector shows that attacks against construction companies often trigger chain reactions: public clients demanding security audits, partners temporarily suspending data exchanges, and insurers revising cyber coverage terms. Local authorities that are clients of GROUPE ETMB could demand additional guarantees before continuing contractual collaborations, impacting the company's business pipeline. This dynamic underscores the importance for players in the construction sector to anticipate regulatory and reputational risks, beyond just the immediate technical and financial impacts.

Conclusion

This attack against GROUPE ETMB is certified via the XC-Audit protocol, guaranteeing immutable and verifiable traceability on the Polygon blockchain. Unlike traditional, centralized, and opaque verification systems, our blockchain approach allows anyone to verify the authenticity of the incident, the timeline of events, and the integrity of the associated metadata. Every element of the attack—discovery date, XC level, victim and malicious actor information—is cryptographically timestamped and recorded in a distributed ledger that cannot be retroactively altered. This radical transparency addresses a critical need for trust in the threat intelligence ecosystem, where unverifiable information too often fuels disinformation or manipulation. Organizations can consult the blockchain hash of the attack to confirm that the presented data has not been modified since its initial certification. This approach differentiates DataInTheDark from traditional platforms that rely on blind trust in a centralized third party, without the possibility of independent verification. The XC-Audit protocol thus transforms threat intelligence into a verifiable common good, where every stakeholder—company, researcher, authority—can build their analyses on factually certain and auditable foundations.