Maritime Computer Emergency Response Team ADMIRAL dataset ADMIRAL dataset

Publicly disclosed information for this event

Index Number:
Worm spread on internal defence networks.
Day Month Year Country Activity Incident Type
12 January 2009 France Defence Virus/Ransomware


According to sources, the French military's computer systems faced significant challenges from the malicious code known as Downadup/Conficker at that time. This malware, first detected in November 2008, exploits vulnerabilities in Windows systems. Downadup/Conficker was capable of dynamically altering its digital signature, effectively evading detection by many antivirus solutions. This worm could also lock out user accounts, seek passwords, block antivirus updates, hinder access to Windows Update, and even spread through the auto-run feature of USB drives. By January 12, 2009, the French Navy's internal network, Intramar, which is responsible for transmitting most digital data, was compromised by this malware. The spread was significant enough that certain operational systems had to be halted.

In response to the infection, the French military took drastic measures. Internet access was severed, and the use of USB drives was temporarily banned. The likely origin of the infection was believed to be direct or indirect web connections, possibly via USB drives or laptops, of "closed networks" – computers meant to be isolated from external access. This incident underlined the difficulties to maintain a large number of Windows assets up to date at that time.


Ministère de la défense

Claimed/Reported Threat Actor




Main impact



Recommendations to Defence to reduce Virus/Ransomware risks:

  • Map, understand, patch and secure your exposed assets on the Internet.
  • Implement email filtering systems to detect and block phishing emails.
  • Train your organisation, personnel regularly against these threats.
  • Install efficient Endpoint Detection and Response (EDR) tools.
  • Work with your CSIRT organization to better understand the Tactics, Techniques and Procedures used by threat actors.
  • Monitor your IT and OT systems to quickly detect potential pre-ransomware activity.
  • Implement an efficient offline backup policy.
  • Encrypt all sensitive data to avoid further data leaks.
Previous Next
Disclaimer: the data are provided as is. France Cyber Maritime and the M-CERT take no responsibility for the soundness, quality, precision, nor the eventual attribution made by the referenced URLs. We give a lot of respect and support to the victims of attacks.
Files generated on Monday, 11th December 2023.
ADMIRAL is licensed under the Creative Commons CC-BY-NC license. Copyright © France Cyber Maritime 2023.